secure communications over insecure channels using an ...secure communications over insecure...

Secure Communicationsover Insecure Channels

Using an Authenticated Channel

Sylvain [email protected]

Master Thesis WorkSchool of Computer and Communication Sciences

6th September 2005

Professor Serge [email protected]

EPFL / LASEC

Sylvain Pasini

2

To Elysa, my goddaughter

3

Sylvain Pasini

4

Acknowledgements

I would like to express my gratitude to my supervisor, Professor Serge Vaudenay, who offeredme the chance to carry out my master thesis at the LASEC. Everything started in March2004 with my first course “Security and Cryptography”. I would like to start thanking SergeVaudenay for having succeeded to pass his knowledge of cryptography to me. I was aboutto discover a new passion. Indeed, Cryptography is a mysterious world. I always have foundfunny the way mathematical tools can be applied to practical systems. A cryptograph hasa special way thinking: everytime, everywhere, he tries to find “holes in every wall”. Sincethen, I carried out a semester project and the present master thesis in LASEC. Thanks tohis experience, vast knowledge, and rigour, I had the opportunity to discover the world ofresearch. With his assistance, I was able to submit my first paper and to write the documentyou are holding.

During the six months of my master thesis, I was pleased to collaborate with all mem-bers of LASEC. The environment within this laboratory was very friendly and gave me theopportunity to acquire knowledge in many domains. I believe that all members deserve mythanks1:

As usual, Gildas Avoine is the first cited. I remember very good moments spent with him.I thank him for that and for all his advice, especially in LATEX. Between motorcyclists, thecurrent is always on...

The person who supervised me during my semester project, and advised me to carry out mymaster thesis at the LASEC, is Thomas Baigneres. Without him, I would not be part of thecrypto world today. Thanks Thomas!

Let us not forget the two distant PhD students from Gemplus, Claude Barral and JulienBrouchier, who came a few times to visit us and who brought us the sun from the south.Unfortunately, they always took it back with them.

Our secretary Matine Corval deserves to be thanked, especially for her availability whenit comes to helping us including administrative tasks (to which I really don’t understandanything).

I would especially like to thank Matthieu Finiasz for all his help. Thanks to his very goodavailability, his friendliness, his patience, and his knowledge, I had many opportunities toexchange ideas and to expose problems, often coming out of his office with a solution. I getalong very well with him and he became one of my best friends.

1alphabetic order

5

Sylvain Pasini

Yi Lu was the only person sharing my room and I thank her for keeping me company.Jean Monnerat, always of good mood and ready to defend Switzerland or his canton (thebeautiful Jura), gave place to many animated debates. I thank him for his help, especially inmathematics and LATEX.The newest member of the LASEC, Martin Vuagnoux, deserves to be thanked for his funnystories which make us laugh so much, especially his spectacular side-channel attacks.

Sharing the majority of our projects, spending much hours together (mostly in the train),Israel Hernandez became one of my best friends. I also thank him for his assistance duringthis work, including his help in Java programming.

Dr. Michel Kocher, my supervisor during my first diploma at the Engineering School ofGeneva, who motivated, and encouraged me also deserves my thanks. I would like to thankhim for his collaboration during my months of diploma work and for advising me to continuemy formation at the EPFL. Without him, I would never have known the EPFL.

My parents should obviously not be forgotten. Thanks to them, I had the chance (amongstother things!) to follow an excellent formation and I greatly thank them. My final thanks goto Nadia. The two of us shared both moments of happiness and a few more difficult times.It is probably these latter which helped bring us together even more. No matter when andwhy, she always kept encouraging me and took it upon herself to leave me enough spare timeto conclude this work (even if it sometimes required a few negociations!). I finally thank herfor her Love to which I had never found any limit. I think now it would be difficult for meto live without her... I want finally to thank all three of them for their support during thesefew years of studies.

After this pleasant period, I wanted to continue and I thus postulated for a PhD thesis...Thanks to everyone!

6

Abstract

A secure peer-to-peer communication over an insecure channel without any prior exchangedkey can be established with the help of an authentication step to exchange a public key.Then, standard methods of public-key cryptography such as RSA can be used to communicatesecurely.

In this work, we concentrate on message authentication protocols which require an extraauthenticated channel. We start by describing some possible human communications chan-nels, such as telephone, and by analyzing them according to some properties, in particularauthentication properties. Then, we recall some message authentication protocols which usean authenticated extra channel. In addition, we recall different types of authentication. Forinstance, we recall biometrics-based systems which use the ability of humans to recognize thevoice of the distant user. We recall also distance bounding-based systems which assumes thatthere is no other systems in the “integrity area”.

In a second step, we prove the maximal security of a message authentication protocolagainst adversaries and we show that a protocol using k-bit authenticated strings reaches themaximal security when the distribution among all possible authenticated strings is uniform.More precisely, we sketch three generic attacks against any message authentication protocol.Using these results, we study the security of different authentication protocols, either non-interactive or interactive.

In addition, we propose a new protocol which achieves the same security level againstoffline attacks as that of the one used today in many systems, such as SSH or GPG, butusing much less authenticated bits.

Finally, we compare interactive and non-interactive authentication protocols and we studytheir usability in different applications.

7

Sylvain Pasini

8

Contents

Introduction 11

1 The Authentication Problem 131.1 The Human Communication Channels . . . . . . . . . . . . . . . . . . . . . . 131.2 Setup a Secure Communication over an Insecure Channel . . . . . . . . . . . 15

1.2.1 Conventional Cryptography . . . . . . . . . . . . . . . . . . . . . . . . 151.2.2 Setting up Secure Channels without Confidential Channel . . . . . . . 161.2.3 Public-Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . 16

2 Message Authentication Nowadays 192.1 Protocols Using an Authenticated Channel . . . . . . . . . . . . . . . . . . . 192.2 Protocols Using Biometric Signals . . . . . . . . . . . . . . . . . . . . . . . . 212.3 Protocols Using Distance Bounding . . . . . . . . . . . . . . . . . . . . . . . . 23

3 Preliminaries 273.1 Adversarial Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273.2 Authenticated Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.2.1 Weak Authenticated Channels . . . . . . . . . . . . . . . . . . . . . . 293.2.2 Stronger Authenticated Channels . . . . . . . . . . . . . . . . . . . . . 293.2.3 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

3.3 Message Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . 303.4 Commitment Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.4.1 Tag-Based Commitment Model . . . . . . . . . . . . . . . . . . . . . . 323.4.2 Completeness, Hiding, and Binding Properties . . . . . . . . . . . . . 323.4.3 Ideal Commitment Model . . . . . . . . . . . . . . . . . . . . . . . . . 343.4.4 Extractable and Equivocable Commitment Schemes . . . . . . . . . . 353.4.5 Trapdoor Commitment Model . . . . . . . . . . . . . . . . . . . . . . 363.4.6 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

3.5 Hash functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403.5.1 Collision-Resistant Hash Functions . . . . . . . . . . . . . . . . . . . . 403.5.2 Weakly Collision-Resistant Hash Functions . . . . . . . . . . . . . . . 403.5.3 Universal Hash Functions Families . . . . . . . . . . . . . . . . . . . . 40

9

Sylvain Pasini

4 On the Required Entropy of Authenticated Communications 414.1 A Generic One-Shot Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424.2 A Generic Multi-Shot Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . 434.3 A Generic Multi-Shot Attack Against Non-Interactive Protocols . . . . . . . . 444.4 A Short Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

5 Non-Interactive Authentication Protocols 455.1 A Non-Interactive Authentication Protocol Based on a Collision-Resistant Hash

Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465.2 A Non-Interactive Authentication Protocol using Strong Authentication . . . 465.3 A Proposed Non-Interactive Authentication Protocol using Weak Authentica-

tion Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

6 Interactive Authentication Protocol 536.1 The Vaudenay SAS-based Protocol . . . . . . . . . . . . . . . . . . . . . . . . 536.2 Short Security Analysis, Optimality . . . . . . . . . . . . . . . . . . . . . . . 546.3 A First Application: OpenSSH . . . . . . . . . . . . . . . . . . . . . . . . . . 546.4 A Peer-To-Peer File Authentication . . . . . . . . . . . . . . . . . . . . . . . . 57

6.4.1 The Implemented Protocol . . . . . . . . . . . . . . . . . . . . . . . . 576.4.2 The Final Application . . . . . . . . . . . . . . . . . . . . . . . . . . . 596.4.3 Number of SAS Trials . . . . . . . . . . . . . . . . . . . . . . . . . . . 606.4.4 In Short . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

7 Interactive vs. Non-Interactive Protocols and their Applications 637.1 A Short Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637.2 Some Applications Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

7.2.1 Applications Based on Public Keys . . . . . . . . . . . . . . . . . . . . 647.2.2 Bluetooth Devices Pairing and Wireless USB . . . . . . . . . . . . . . 65

Conclusion 67

Bibliography 69

List of Figures 75

Appendix A 77

Appendix B 79

10

Introduction

One key issue in cryptography is to achieve secure peer-to-peer communications over insecurechannels. Chapter 1 describes how to establish such a channel. In shot, using conventionalcryptography, like DES [DES77], it is necessary that the users share a confidential key K.The only human manner to exchange a private key is to encounter. Phone, mail and emailare not secure. Consequently, the users must meet face to face which can be hard andexpensive. Using the Diffie-Hellman model [DH76] the key establishment has been reducedto the exchange of authenticated messages. Using public key cryptography, like RSA [RSA78],we know that it is possible to reduce the problem of establishing a secure communication overan insecure channel by exchanging public keys in an authenticated way. This work is abouthow this exchange is performed.

Different solutions were proposed to authenticate a public key. In Chapter 2 we recallsome of them. In particular, we describe authentication protocol using distance boundingwhich is well adapted for devices pairing. We also describe a biometric-based system whichuse the ability of human beings to identify a voice. Finally, we recall three systems which usean extra authenticated channel such as telephone. These three are described in short below.

The most straightforward way to authenticate public keys is a scheme which was formal-ized by Balfanz et al. [BSSW02]. The proposed protocol is non-interactive and based on acollision resistant hash function. It simply consists of first sending the message and then au-thenticating its hashed value. The authenticated value must contains at least 160 bits (to becollision resistant) which is quite long. Note that this protocol is actually used in OpenSSHfor the server public key authentication, in PGP and GPG for the exchange of personal publickey, and many others.

Gehrmann-Mitchell-Nyberg have proposed in [GMN04] the MANA I Protocol. It allowsto authenticate a message in a non-interactive way using an authenticated string of 16-20bits only. On the other hand, the security requires strong assumptions on the authenticationchannel since the protocol is known to be insecure in other cases. Note that MANA protocolshave been designed for wireless devices such as Bluetooth devices.

Vaudenay proposed in [Vau05] an interactive message authentication protocol based onShort Authenticated String (SAS). It is shown that a 15-bit SAS provides pretty good se-curity which is much shorter than the first protocol presented. Note that it uses a weakauthentication channel while MANA requires a stronger one.

The problem of message authentication using extra authenticated channels was also for-malized by Vaudenay [Vau05]. The present thesis is based on this formalism. Chapter 3

11

Sylvain Pasini

describes the necessary preliminaries based on this formalism. First, this chapter starts bydescribing the adversarial model and defining authenticated channels and message authen-tication protocols. Then, it recalls some properties of commitment schemes and trapdoorcommitment schemes. In particular, it explains that a commitment scheme can be seen asa “locked combination safe” which allows a user to commit on a value without revealing it.Finally, it defines properties of hash functions.

In Chapter 4, we analyze the maximal security of a general message authentication pro-tocol. First, we consider only one-shot adversaries which can use one instance of each twopeers. Then, we generalize to powerful adversaries that can use several instances of the twopeers, i.e. considering collision attacks. In addition, we prove that a message authenticationprotocol is optimal when it uses uniformly distributed authenticated strings.

In Chapters 5 and 6, we discuss the security of the above message authentication proto-cols. We propose a new non-interactive protocol based on a commitment scheme and weaklycollision resistant hash function. Our protocol allows shorter authenticated strings than theones required by the protocol presented by Balfanz et al. [BSSW02]. We prove that ourproposed protocol is optimal and we deduce the non-optimality of the other protocol.

The Vaudenay SAS-based protocol [Vau05] had never been used in a practical implemen-tation. In Section 6.3, we propose an implementation in OpenSSH which is a straightforwardapplication. A first advantage of [Vau05] is the fact that users are forced to enter the SASsince in the other case they can not establish the connection. More precisely, users can notagreed the key without authentication. A second advantage is the short length, in particularwhen users must establish a secure communication quickly. Suppose for example a disastercause in a bank and the administrator is abroad. Thus, he must establish a very quick con-nection with the server using a new generated pair of keys. The administrator is forced toauthenticate the public key quickly. Using the SAS-based protocol, he has just to call thebank, starts the protocol, and finally types the SAS which has been obtained with the helpof a responsible person.

In this application, the interactivity of the protocol is a problem: Suppose a client wouldopen a connection with an OpenSSH server using the SAS-based protocol. He requires toenter the authenticated SAS which is in general transmitted by telephone. Consequently, theadministrator must reply to telephone and transmit the SAS for each new connection in hispark of hosts. Clearly, the administrator becomes quickly overloaded by the fact of havingto transmit many SAS. We have thus to discuss about interactivity and non-interactivity asit is made in Chapter 7.

Finally, we propose an application of the SAS-based authentication protocol proposed byVaudenay [Vau05] in which the interactivity is not a problem. In Section 6.4, we consider fileauthentication and in particular peer-to-peer file authentication. Note that a public key is inreality a file and thus can be authenticated by using this new application. In this example,the SAS can be exchanged by telephone between the two persons as if they had to exchangea fingerprint but exchanging only 15 bits instead of the 160 bits of a fingerprint.

12

Chapter

ONE

The Authentication Problem

1.1 The Human Communication Channels

Humans can communicate in different ways, i.e. using different human communication chan-nels. Depending on the requirements, he chooses one of them. For example, if a humanbeing needs to reach another human being for urgent matters, he must choose a channelwith high availability and low latency such as a telephone link. But, if he would transferan amount of money, he must establish a reliable authentication by going to the desk toencounter the person of the bank. (Nowadays, he can use the Internet with prior establishedsecurity association.)

The security of communication channels can be characterized by some security attributeswhich are defined below.

Definition 1 (Security Attributes). Suppose a communication channel between a sender,called Alice, and a receiver, called Bob. A message m is sent on the input and a message mcan be read on the output. We define the following security properties:

Confidentiality assumes that only the legitimate receiver, i.e. Bob, can read the messagem.

Integrity assumes that the received message m is the same as the input message m, i.e.m = m.

Authenticity assumes that only the legitimate sender, i.e. Alice, can input a message minto the channel. This is often combined with integrity, i.e. m = m can only be issuedby Alice.

Freshness assumes that the received message m was not received before.

Liveliness assumes that a message m which has been sent by Alice will eventually be deliveredto Bob.

13

Sylvain Pasini

Timeliness assumes that a message m which has been send by Alice will be delivered imme-diately to Bob.

In addition, to compare the different human communication channels, it is necessary todefine other properties which characterize the usability of these channels. These communica-tion properties are defined below.

Definition 2 (Communication Properties). Suppose a communication channel between asender, called Alice, and a receiver, called Bob. We define the following communicationproperties:

The cost represents the required amount of money spent to establish the communicationchannel and to transmit a message from Alice to Bob.

The availability expresses the fact that the channel can easily be established at any time.

The speed rate represents the amount of data that can be transfered from Alice to Bob fora fixed time duration.

The latency represents the amount of time between the moment when Alice sends the mes-sage and the moment when Bob receives it.

Using Definition 1 and Definition 2, it is possible to compare the common human com-munication channels in a cryptographic way.

Face to face conversation allows perfect authentication, perfect integrity and in certaincases, confidentiality. In addition, freshness, liveliness, and timeliness are trivially ensured.However, this channel can have a very high cost if, for example, the two persons are far fromeach other. For the same reasons, the availability is also bad. Note that the communicationhas no latency but a low speed rate. In conclusion, this human channel achieves high securitybut low throughput.

Telephone is like a face to face conversation but allows a third party to spy the commu-nication. Thus, this channel does not guarantee confidentiality.On the other hand, it has a much lower cost and a higher availability. In short, it guaranteesauthentication assuming that both users can recognize the remote voice.

Mail, like a postcard or a parcel, is not confidential either. It can be easily lost and thusthis channel does not guarantee liveliness.We can consider that a handwritten mail achieves authentication by assuming that the recip-ient can identify the writing. As for telephone, this channel guarantees availability but has along latency.

Electronic mail is the worst communication channel in terms of security, it protectsnothing by itself.However, it is the easiest communication channel and its costs is very small (too small if weconsider the spam phenomenon), the availability and the speed rate are very high.

A short overview of the security and communication properties for each human communi-cation channel is described on Fig. 1.1. Note that it is in fact a trade off between the securityand the human usability. I.e. the more secure is a face to face conversation but it is the less

14

1 - The Authentication Problem

Interactive Non-interactiveEncounter Telephone Mail Email

Authenticity X X XIntegrity X X XConfidentiality XFreshness X X XLiveliness X XTimeliness XCost X X XAvailability X XSpeed rate XLatency X X X

Figure 1.1. The Common Human Communications Channels

usable. In the other hand, the more usable is the email channel but it is the less secure. Fora specific use, we have to choose the better human communication channel depending on thesecurity required and the available cost.

Remark 1. Confidentiality is achieved only using a face to face conversation which can bevery expensive in certain cases. However, a phone call, which is very easy to setup world-wide, achieves authentication assuming that the two speakers can identify the distant one byrecognizing his voice.

1.2 Setup a Secure Communication over an Insecure Channel

One of the main cryptographic issues is the problem of establishing a secure peer-to-peercommunication over an insecure channel. Often, users can use an extra channel which achievesconfidentiality and/or authenticity. In this section, some solutions are analyzed dependingon the extra channel assumptions.

1.2.1 Conventional Cryptography

Using conventional cryptography, it is possible to establish a secure peer-to-peer channel as-suming that we can establish a private and authenticated key. In fact, we use the ShannonModel [Sha49] which is depicted on Fig. 1.2. Using this model, confidentiality can be achievedusing symmetric encryption. Symmetric encryption can be done using either stream ciphers,like E0 [Blu03], or block ciphers, like DES [DES77], AES [AES01], or FOX [JV03]. Authentic-ity and integrity can also be achieved using message authentication codes (MAC). In general,MAC can be constructed from stream ciphers or block ciphers, like the One-Key CBC MAC(OMAC) by Iwata and Kurosawa [IK03], or hash functions, like HMAC by Bellare-Cannetti-Krawczyk [BCK96]. Note that confidentiality, authenticity and integrity can be achieved atthe same time using a combined mode.

From the previous section, one can note that a face to face conversation is the onlycommon human communication channel which achieves confidentiality, see Remark 1. Thesehuman communication channels can be very expensive and hard to establish. One wouldtherefore favor the usage of channels which do not require confidentiality.

15

Sylvain Pasini

INSECUREEnc

AUTHENTICATED

DecYX

Key K

CONFIDENTIAL

MessageDestination

Source

SourceKey

X

Adversary

Figure 1.2. The Shannon Model [Sha49].

1.2.2 Setting up Secure Channels without Confidential Channel

In Merkle [Mer78] and Diffie-Hellman [DH76], it was shown a way to reduce the confidentialextra channel to an authenticated extra channel. This channel is used to agree on a privatekey only by authenticating the exchanged messages. This is described by the Merkle-Diffie-Hellman model [Mer78, DH76] which is depicted on Fig. 1.3.

INSECURE

Y

AUTHENTICATED

Adversary

Enc

Key K Key K

Dec

ExchangeA ExchangeB

MessageSource

XDestination

X

Figure 1.3. The Merkle-Diffie-Hellman Model.

An example is the Diffie-Hellman key agreement protocol [DH76] which is depicted onFig. 1.4. Each party knows the public parameter g which spans a group G. Alice, resp. Bob,picks a random number x, resp. y and computes X ← gx, resp. Y ← gy. Then, Alice sendsX to Bob and Bob sends Y to Alice. Alice, resp. Bob, computes Y x, resp. Xy, which arein fact gxy. Thus, they share a secret key K = gxy. Note that g is chosen such that for anyadversary who knows X and Y it is hard to retrieve x and y (Discrete Logarithm Problem).Consequently, it is hard to find the key K. On the other hand, without authentication anadversary can run a man-in-the-middle attack between the two participants, so authenticationis required for this protocol.

1.2.3 Public-Key Cryptography

Using public-key cryptography, it is also possible to relax the private hypothesis (confiden-tiality) on the extra channel. It can further be assumed to be unidirectional. We obtaina semi-authenticated key transfer, for example using RSA [RSA78], as depicted in Fig. 1.5.For instance, it can be used to transfer a private symmetric key and thus establish a securecommunication using an extra channel which achieves authenticity only. Thus, the required

16

1 - The Authentication Problem

Alice Bobpick x pick y

X ← gx X−−−−−−−−−−−−−−→Y←−−−−−−−−−−−−−− Y ← gy

K ← Y x = gxy K ← Xy = gxy

Figure 1.4. The Diffie-Hellman Key Agreement Protocol.

channel, which before required confidentiality, has been reduced to an authenticated channel.

INSECUREEnc Dec

YXMessageDestination

SourceX

AUTHENTICATED

GeneratorKey

Adversary

Secret key KsPublic key Kp

Figure 1.5. The Semi-Authenticated Key Transfer Using Public-Key Cryptography.

Remark 1 says that establishing a private channel, i.e. which achieves confidentiality andauthenticity, is hard since it requires a face to face conversation. In addition, it says thatan extra channel which achieves only authenticity can be established simply by telephone.Thus, we can setup a secure communication over an insecure channel without requiring toencounter, but simply using telephone by exchanging a public key in an authenticated way.

To conclude, establishing a secure peer-to-peer communication can be reduced to “sim-ply” exchanging a public key in an authenticated way as described on Fig. 1.5. Note thatRSA [RSA78] requires actually 1024 bits which is still long for authenticated human commu-nication channels like telephone. We have thus to reduce the amount of authenticated bits byusing protocols and by assuming that a fixed security S is enough, where S is a set contain-ing the maximal probability of success p, the maximal complexity T , the maximal number oftrials Q (instances). For instance, we can consider T ≤ 270, Q ≤ 210, and p ≤ 2−20.

17

Sylvain Pasini

18

Chapter

TWO

Message Authentication Nowadays

In the previous chapter, we have reduced the problem of establishing a secure communicationover an insecure channel to the problem of exchanging a public key in an authenticated way,e.g. using the telephone. We have also seen that a key is in general 1024 bits long.

In addition, we have seen some human authenticated channels that can be used. Forinstance, using telephone as the human authentication channel, it can take long time toauthenticate the 1024 bits as is. Thus, human beings would use more user-friendly systems.In this chapter, we present protocols which allow to reduce the amount of authenticated data.

Many authentication methods exist and we describe briefly some of them. First, we discussauthentication methods which use an extra authenticated channel, such as telephone or mail(see Section 1.1). Then, we discuss about biometrics-based authentication. In particular, wetalk about voice recorded signal that can be exchanged over the insecure channel. This recordscan be seen as an authenticated channel with particular assumptions. Finally, we discussabout distance bounding authentication. These methods check whether the two devices arealone in a bounded area, called integrity area, by measuring round trip times. Then, theyconclude on an authenticated channel between them since they are ensured that they werecommunicating with no third party.

2.1 Protocols Using an Authenticated Channel

In this section, we present some message authentication protocols which can be used toauthenticate a public key Kp by transmitting shorter authenticated strings through an au-thenticated channel and the complete message through an insecure channel.

Assume that Bob wants to authenticate the public key Kp of Alice with no prior exchangedkeys. She can communicate over an insecure channel and over an extra authenticated channel.Note that the authenticated channel is expensive and she has to minimize the amount ofauthenticated data through them. Assume that the exchange of the public key (without

19

Sylvain Pasini

authentication) is easy, it can be done for example by email. Many solutions exists for Bobto authenticate the public key of Alice. In the following, we discuss about three messageauthentication protocols and we consider the more general problem of authenticating anarbitrary message m, instead of a public key Kp (e.g. m = Kp).

Today, the most common way to authenticate a message was presented by Balfanz etal. [BSSW02]. The protocol is based on a collision resistant hash function. It is depicted onFig. 2.1. The sender of the message m, Alice, sends it to the recipient, Bob, using the insecurechannel. Recall that m is not private. Note that we put a hat on the non authenticated valuessince they can differ from sent messages. Alice, resp. Bob, computes the hash value h, resp.h, of the message m, resp. of the received message m. Now, Alice has to authenticate thehashed value h to Bob. Comparing the received value h and his computed value h, Bob cancheck whether the received message m has been send by the owner. One advantage of thisprotocol is that it is non-interactive. On the other hand, due to the non-interactivity, offlineattacks are possible and are often very dangerous. Collision attacks works with a complexityof O(2k/2) where k is the size of h. Thus, the authenticated message must contains at least160 bits to avoids attacks using the birthday paradox.

Alice Bobinput: m

m−−−−−−−−−−−−−−→ h← H(m)

h← H(m)authenticateAlice(h)−−−−−−−−−−−−−−→ check h = h

output: Alice, m

Figure 2.1. Non-Interactive Message Authentication Using a Collision Resistant Hash Func-tion.

To reduce the size of the authenticated strings, Gehrmann-Mitchell-Nyberg [GMN04] haveproposed the MANA I protocol which is depicted on Fig. 2.2. As in [BSSW02], the sender ofthe message m Alice sends it to the recipient Bob using the insecure channel. As before, thisstep can be done for example by email. Then, she picks a key K uniformly in 0, 1k andcomputes µ← HK(m). Finally, she authenticates K||µ to Bob. Bob can also check whetherthe hashed value of the received message m, i.e. HK(m), is equal to µ. The security requiresa “stronger” authenticated channel since the protocol is known to be insecure with “weak”authentication only. Note that the randomness of the key K avoids collision attacks. Indeed,an adversary must run several instances of the protocol which is easy to detect. It allows toauthenticate a message in a non-interactive way using only a 16-20 bits authenticated string.

Finally, an interactive message authentication protocol based on Short AuthenticatedString (SAS) which uses very few authenticated bits was proposed by Vaudenay [Vau05]. Hisprotocol is depicted on Fig. 2.3. The sender of the message m Alice, resp. the recipient Bob,picks a random value RA, resp. RB. Alice sends the message m to Bob and commits on hisvalue of RA. Note that this protocol uses a tag-based commitment scheme in which the tag mis revealed, but the value RA is kept hidden to Bob. As before, the message can be exchangedfor example by email from Alice to Bob. Due to the commitment, Alice cannot change hisvalue of RA. Bob sends his random value RB and finally Alice sends the decommit value.

20

2 - Message Authentication Nowadays

Alice Bobinput: m

m−−−−−−−−−−−−−−→pick K ∈U 0, 1k

µ← HK(m)authenticateAlice(K||µ)−−−−−−−−−−−−−−→ check µ = HK(m)

output: Alice, m

Figure 2.2. The MANA I Protocol.

Both can compute its local SAS value. Alice authenticates, e.g. by telephone, the SAS valueto Bob which can check whether it is valid. It is shown in [Vau05] that a 15-bit SAS usingweak authentication provides pretty good security.

Alice Bobinput: m

pick RA ∈U 0, 1k pick RB ∈U 0, 1k(c, d)← commit(m, RA)

m||c−−−−−−−−−−−−−−→RB←−−−−−−−−−−−−−−d−−−−−−−−−−−−−−→ RA ← open(m, c, d)

SAS← RA ⊕ RBauthenticateAlice(SAS)−−−−−−−−−−−−−−→ check SAS = RA ⊕RB

output: Alice, m

Figure 2.3. Interactive SAS-based Message Authentication.

2.2 Protocols Using Biometric Signals

A method to setup secure communications based on vocal biometric signals was proposed byWu-Bao-Deng [WBD05]. The protocol is depicted on Fig. 2.4. It allows Alice to authenticateBob and to setup a secret session key. Note that it uses Diffie-Hellman values to establishthe secret session key. These values are authenticated using voice signals and agreed with thehelp of a timer which allows to detect man-in-the-middle attacks.

In the proposed protocol, Alice, resp. Bob, chooses a value x, resp. y, and computes herDiffie-Hellman value X ← gx, resp. Y ← gy. Alice, resp. Bob, computes their local key byhashing their Diffie-Hellman value, i.e. KA ← h(X), resp. KB ← h(Y ). Then, Alice recordsa “challenge” CA which is authenticated by her voice and sends the encrypted value ECA

toBob. The encryption is done using her local key KA. Note that this notion of “challenge”is quite trivial here. The only challenge is indeed, for Bob, to make an answer which isconsistent with the “challenge” from Alice. For instance, the “challenge” can be the sentence“what did you wrote in your last mail?”. Bob makes the same operations and sends ECB

to Alice. Note that each recorded sound must be as least of duration T . We stress that atthis time nobody can listen to the challenges since they are encrypted and the keys are keptsecret. Alice starts a clock and reveals her Diffie-Hellman value X. Thus, Bob computes KA,i.e. KA ← h(X), decrypts the challenge of Alice, listens to it and checks the voice identity. If

21

Sylvain Pasini

the voice is not the one of Alice, Bob stops the protocol, otherwise he records a response RB

to the challenge CA. Bob can now compute the common key KBA using the Diffie-Hellmanprotocol, i.e. KBA ← Xy. He encrypts the response using the common key KBA, sends theencrypted value and reveals his Diffie-Hellman value Y . When Alice receives the values, shestops the clock. She can now deduce the common key KAB, i.e. KAB ← Y x, and the keyof Bob, i.e. KB ← h(Y ). Now, she can listen to the challenge of Bob CB and the responseof Bob RB to her challenge CA. Finally, she checks the time elapsed and the identity of thetwo sounds recorded by Bob and whether the response is consistent with the challenge. If noattack occurred, she outputs the identity, i.e. Bob, and the Diffie-Hellman session key.

Alice Bobpick x ∈U 0, 1k pick y ∈U 0, 1k

X ← gx Y ← gy

KA ← h(X) KB ← h(Y )CA ← record()

ECA← EncKA

(CA)ECA−−−−−−−−−−−−−−→ CB ← record()ECB←−−−−−−−−−−−−−− ECB ← EncKB (CB)

start(clk1) X−−−−−−−−−−−−−−→ KA ← h(X)KBA ← h(Xy)

CA ← DecKA(ECA)

check identity(CA)

RB ← record()

ta ← stop(clk1)ERB

||Y←−−−−−−−−−−−−−− ERB ,KBA ← EncKBA(RB)

KB ← h(Y )KAB ← h(Y x)

CB ← DecKB(ECB

)RB ← DecKAB

(ERB)

check ta, CB , RB

output: Bob,KAB output: KBA

Figure 2.4. Semi-Authenticated Key Agreement Using Voice Records.

To understand the role of the timer, we present the man-in-the-middle attack depictedon Fig. 2.5. An adversary can obtain a challenge from Alice CA simply by answering achallenge C ′

B since it is encrypted and thus cannot be verified by Alice at this moment.Alice responds with her Diffie-Hellman value X and gives CA to any adversary. Note thatthe adversary cannot mimic Bob, but he can encrypt an old challenge of Bob (replay), i.e.Cold

B . The adversary has now to respond to the challenge of Alice. It cannot mimic Boband consequently he has to request Bob to respond to the challenge CA from Alice. Heproceeds simply by impersonating Alice to Bob, submitting the challenge CA and obtaining

22


the response RB. Finally, the adversary answers to Alice with the response RB (encrypted)from Bob.

Alice Adversary BobKA KZ KB

ECA−−−−−→ECB←−−−−− ECB

← EncKZ(Cold

B )start(clk1) X−−−−−→ CA ← DecKA

(ECA)

ECA ← EncKZ (CA)ECA−−−−−→ECB←−−−−− CB ← record()

Z−−−−−→ listen(CA)

RB ← DecKB(ERB

)ERB

||Y←−−−−− RB ← record()

ta ← stop(clk1)ERB

||Z←−−−−− ERB← EncKZ

(RB)check ta, CB , RB

output: Bob,KAZ output: KBZ

Figure 2.5. Man-In-The-Middle Attack (Simplified Version).

Note that the time elapsed ta corresponds to the time for Bob to record the challenge CB,to listen to the challenge from Alice CA, to record the response RB, and some duration δ forcomputations and transmissions, i.e. ta = |CB|+ |CA|+ |RB|+ δ ≥ 3T + δ. Without attack,Bob does not have to record his challenge during this time since it has been recorded before,i.e. ta = |CA| + |RB| + δ ≥ 2T + δ. Using the timer, Alice can detect man-in-the-middleattacks. This attack shows the important role of the timer in this protocol.

We note that this protocol is very sensitive to the time in which Bob responds. SupposeBob has make a mistake in his record sample and records another one. He have listened to thechallenge of Alice and recorded two samples. Thus, the time elapsed seems to be a man-in-the-middle attack. In conclusion, this protocol is quite hard to implement in a user-friendlyway since the timing is constraining for Bob.

2.3 Protocols Using Distance Bounding

Brands and Chaum [BC93] have proposed a practical method to upper-bound the physicaldistance between two devices. For instance, during an authentication phase between anemployee and an access control, the system would like to be ensured that the employee is near,i.e. a few meters. The proposed principle is quite simple. It consists of a challenge-responseusing only one bit on each message. The verifier V sends a bit (challenge) and the prover Preplies immediately with a bit (response). They assume that electronic devices which playthe role of prover can have very short timings between the reception of a challenge and thesending of the corresponding response. The verifier V has simply to measure the time elapsedbetween the sending of the challenge and the reception of the response. Knowing the timeelapsed, it can easily deduce the maximal distance between them. Two attacks are describedin [BC93]: the mafia fraud which is a man-in-the-middle attack where the adversary is a

23

Sylvain Pasini

fraudulent verifier at the same time as a fraudulent prover and an attack in which the proverP sends bits out too soon. Solutions for preventing both attacks are proposed in [BC93] andthe final protocol proposed is depicted on Fig. 2.6.

P V∀i ∈ 1..k mi ∈R 0, 1 ∀i ∈ 1..k αi ∈R 0, 1

(c, d)← commit(m1|| · · · ||mk) c−−−−−−→

Begin of rapid exchangeαi←−−−−−−

βi ← αi ⊕miβi−−−−−−→ mi ← βi ⊕ αi

End of rapid exchange

m← α1||β1|| · · · ||αk||βk

σ ← sign(m)d||σ−−−−−−→ m← α1||β1|| · · · ||αk||βk

check (c, d) = commit(m1|| · · · ||mk)check σ = sign(m)

Figure 2.6. Distance-Bounding Protocol.

Based on this distance upper-bounding, Cagalj, Capkun and Hubaux [CCH05] have pro-posed a key agreement protocol for wireless network, in particular for peer-to-peer commu-nication. In the previous protocol, it is not clear how the prover should sign the message.Cagalj, Capkun and Hubaux [CCH05] propose a method which only need authentication.The protocol is depicted on Fig. 2.7.

Brands and Chaum [BC93] proposed a method that prevents frauds where an adversaryruns a man-in-the-middle attack between a legitimate prover and legitimate verifier. Fraudswhere a malicious prover and an adversary collaborate to cheat a verifier have been leftopened. Bussard and Bagga [BB05] propose a solution for preventing both types of attacks.

Distance-bounding authentication cannot be used through the Internet since users are ingeneral far and some others users are closer to the distant one (with very high probability).In general, this not very useful for wired links.

In conclusion, this method is not useful for authentication through a large network, but itis well adapted for local wireless networks such as mobile phones, headset or PDA’s which arevery close. We don’t go more in detail into distance bounding protocols since we concentrateon general methods to do worldwide authentication.

24


Alice Bobinput: IDA, gXA input: IDB , gXB

Pick NA, RA ∈U 0, 1k Pick NB , RB ∈U 0, 1kmA ← 0||IDA||gXA ||NA mB ← 1||IDB ||gXB ||NB

(cA, dA)← commit(mA) (cB , dB)← commit(mB)

(c′A, d′A)← commit(0||RA)cA||c′A−−−−−−→ (c′B , d′B)← commit(1||RB)cB ||c′B←−−−−−−

dA−−−−−−→ mA ← open(cA, dA)Verify 0 in mA

mB ← open(cB , dB) dB←−−−−−− iB ← NB ⊕ NA

Verify 1 in mB

iA ← NA ⊕ NB

Begin of Distance Bounding Phaseβ0 = 0

αi ← RA,bit i ⊕ iA,bit i ⊕ βi−1αi−−−−−−→βi←−−−−−− βi ← RB,bit i ⊕ iB,bit i ⊕ αi

End of Distance Bounding Phase

d′A−−−−−−→ 0||RA ← open(c′A, (d′A)

1||RB ← open(c′B , (d′B)d′B←−−−−−−

iB,bit i ← αi ⊕ βi ⊕ RB,bit i iA,bit 1 ← α1 ⊕ RA,bit 1

iA,bit i ← αi ⊕ βi−1 ⊕ RA,bit i

check iA = iB check iB = iAcheck integrity region check integrity region

output: ˆIDB, iA output: ˆIDA, iB

Figure 2.7. Key Agreement Protocol Using Distance Bounding.

25

Sylvain Pasini

26

Chapter

THREE

Preliminaries

This chapter explains and defines the necessary prerequisites. Definitions and formalism areused in the following chapters and thus need to be recalled. Note that the formalism used inthis thesis was published by Vaudenay [Vau05].

The considered model is a communication network made up of devices which use insecurebroadband communication channels between them. Note that “device” is a generic termfor communication entities. For instance, a device can be a personal computer, a mobilephone, or a satellite antenna. In our model, devices can in addition use narrowband channelswhich can be used to authenticate short messages, i.e. short authenticated strings (SAS). Weconsider that a verifier Bob would authenticate a message m from a claimant Alice using themodel depicted in Fig. 3.1. A device is located on a network node n of a given identity IDn.

AUTHENTICATED

INSECUREAlice Bob

Adversary

Figure 3.1. Message Authentication Protocol Channels (General) Model

In addition, it can run several instances which are formally denoted by a unique instance tagπi

n.

3.1 Adversarial Model

We assume that adversaries have full control on the broadband communication channel.Indeed, an adversary can read messages from the channel, he can prevent a message frombeing delivered, he can delay it, replay it, modify it, and change its recipient address.

The security model is based on Bellare-Rogaway [BR93] which places the adversary at

27

Sylvain Pasini

the center of the network. The adversary can make queries to any instances on any nodes.He has full control on which node launches a new instance of a protocol, on the input ofthe protocol, and on which protocol instance runs a new step of the protocol. Namely, weassume that the adversary has access to a launch(n, r, x) oracle in which n is a node of thenetwork, r is a character (i.e. a role to play in the protocol), and x is the input of the protocolfor this character. This oracle returns a unique instance tag πi

n. Since a node can a priorirun concurrent protocols, there may be several instances related to the same node n. Werestrict ourselves to 2-party protocols so that there are only two characters Alice and Bobin protocols. Any node can play any of these characters. The adversary also has access tooracles

• execute(πip, π

jq) which runs the full protocol with a given instance pairs and returns the

full transcript of protocol messages (this models passive attacks);

• send(πip,m) which sends a message m to a given instance and returns a message m′

which is meant to be sent to the other participant (this models active attacks).

For example, a protocol with input x and y can be run on node A and B respectively asfollows.

1. π1A ← launch(A,Alice, x)

2. π1B ← launch(B, Bob, y)

3. m1 ← send(π1A, ∅)

4. m2 ← send(π1B,m1)

5. m3 ← send(π1A,m2)

6. ...

until a message is a termination message. Note that the Bellare-Rogaway [BR93] modelconsiders additional oracles which are shortly described below.

• reveal(πin) which reveals the session key sk to the adversary if the instance πi

n haveaccepted them before. This query models the loss of the session key and can be usedto show the consequences on others instances.

• corrupt(n) which corrupts the collection of instances related to the node n. This querymodels the corruption of a node (all instances), for example a user-password has beenstolen or a “Trojan horse” has been installed on the device on node n.

• test which is specific to the semantic security of key agreement protocols. This queryis used to measure the probability of success of an adversary.

These requests are not relevant in this paper since we never use long-term secrets and theoutput of the protocols are not secret.

By convention, we describe protocols by putting a hat on the notation for received mes-sages which are not authenticated since they can differ from sent messages in the case of anactive attack.

28

3 - Preliminaries

3.2 Authenticated Channels

When referring to “channel”, we refer by default to an insecure broadband channel withoutany assumption. As mentioned before, the devices can use an authenticated channel.

An authenticated channel is related to a node identity ID. Formally, an authenticatedchannel from a node n has an identifier IDn. It allows to the recipient of a message to knowthe identity of the node from which the message has been sent as is. Note that an adversarycannot modify it (i.e. integrity is implicitly protected), but she can delay it, remove it, replayit, and of course read it. Precisely, an authenticated channel does not provide confidentiality.

By convention, we note authenticateIDn(x) a message x which has been sent from node nthrough the authenticated channel.

The send oracle maintains unordered sets of authenticated messages in every channel IDn

from node n. Only send oracles with a πin instance can insert a new message in this set. When

a send oracle is queried with any instance and any message authenticateIDn(x), it is acceptedby the oracle only if x is in the set related to channel IDn. Note that concurrent or successiveinstances related to the same node write in the same channel, i.e. in the same set. Thus,when an instance πi

n sends a message, the recipient of this message can only authenticatesthe node from which it has been sent, i.e. n, but not the connection to the right instance,i.e. i.

For simplicity, we assume that the input or output to the send oracle are either authen-ticated or non-authenticated messages, but not both. Namely, protocols do not concatenateauthenticated and non-authenticated messages.

3.2.1 Weak Authenticated Channels

By default, authenticated channels without any other assumption are called weak. This meansthat an adversary can delay a message, remove it, or replay it. In particular, the owner ofthe message has not the insurance that the message has been delivered to the recipient.

3.2.2 Stronger Authenticated Channels

In some cases we need special assumptions on the authenticated channel. Thus, we canconsider stronger authenticated channels, namely channels in which additional properties areachieved. In the following, we propose some possible properties that can be assumed on astronger authentication channel.

Stall-free transmission assumes that when a message is released by a send oracle either itis used as input in the just following send oracle query (either authenticated or not) orit is never used.

Transmission with acknowledgment assumes that messages are released with a destina-tion node identifier and the sender can check whether an instance at the destinationnode has received the message or not.

Listener-ready transmission assumes that the sender can check if an instance at the des-tination node is currently ready to listen to the authenticated channel.

29

Sylvain Pasini

Interactive Non-interactiveEncounter Telephone Mail Email Voice record

Stall-free X XAcknowledgment X XListener-ready X XImmediate delivery X

Figure 3.2. Stronger Properties of Human Authenticated Channels

Transmission with immediate delivery assumes that an input message of a send oracleis immediately delivered to the recipient.

3.2.3 Examples

As seen in Section 1.1, a face to face conversation and a telephone call achieve authen-ticity. In addition, these channels achieve some of the stronger properties described above.Suppose two persons would communicate. When the first person starts talking, he knowsthat the second one is listening (listener-ready). When one talks to the other one, he knowthat the message has not been recorded since interactivity implies coherent conversations(stall-free). Humans can also sense if the other one has listened to the message (acknowledg-ment). Finally, when a person talks face to face with another one, he has the insurance thatthe another one has received immediately the sound (immediate delivery). Using telephone,this is not the case: sometimes we feel a delay between the moment when one starts to speakand the other hears. Often this delay brings collisions of voices.

A mail can be stalled and released in a different order. The sender has no confirmation ingeneral that the mail has been received (except using a registered mail). Finally, the recipientmay not be ready to receive it. Thus, a conventional mail achieves none of these propertiesand a registered mail is a transmission with acknowledgment only.

An electronic mail is worst in term of security as a mail and also achieves none of theseproperties. Note that an email without any cryptographic appendix tools such as a GPGsignature is in fact not an authenticated channel since it can easily be forged.

A voice record achieves none of these properties since the message could be a recordedone. The recorder has no confirmation that the destination has heard it. The recipient is ingeneral not ready to listen.

It is clear that mail, electronic mail and voice record are not delivered immediately.

3.3 Message Authentication Protocols

A message authentication protocol has an input m on the side of the claimant Alice andnothing on the side of the verifier Bob. It has an output ˆID||m on Bob’s side and nothingon Alice’s side. Authentication is successful if the output is ˆID = IDA and m = m, meaningthat m coming to Bob was authenticated as sent by a node of identity IDA.

We call a protocol non-interactive if only it uses messages send by Alice to Bob. Otherwise,we say that the protocol is interactive.

30

3 - Preliminaries

On a global perspective, several launch(Ak, Alice,mk) and several launch(B`,Bob, ∅) canbe queried. These queries create several πik

Akinstances of Alice (authentication claims) and

several πj`B`

instances of Bob (authentication verifications). We may have a perfect matchingbetween the k’s and `’s such that related instances have matching conversations which fullyfollow the protocol specifications, and the πj`

Bènds with output IDAk

||mk for the matchingk. In any other case, we say that an attack occurred.

Attack Definition. We say that an attack is successful if there exists at least an instanceπj`

B`which terminated and output ÎD||m such that there is no k for which ÎD = IDAk

andm = mk. Note that many protocol instances can endlessly stay in an unterminated state orturn in an abort state.

We call one-shot attacks the attacks which launch a single instance of Alice and Bob. Wecall attacks the general attacks that can use several instances of Alice and Bob. The attackcost is measured by

• the number Q of launched instances of Alice and Bob, i.e. the online complexity.

• the additional complexity C, i.e. the offline complexity.

• the probability of success p.

An attack of cost (Q,C, p) is cheaper than an attack of cost (Q′, C ′, p′) if Q ≤ Q′, C ≤ C ′,and p ≥ p′, but note that some attacks are incomparable in terms of cost without any moreimplementation assumptions.

Here is a useful lemma taken from [Vau05].

Lemma 1. We consider a message authentication protocol with claimant Alice and verifierBob in which a single SAS is sent. We denote by µA (resp. µB) the complexity of Alice’s (resp.Bob’s) part. We consider adversaries such that the number of instances of Alice (resp. Bob)is at most QA (resp. QB). We further denote T0 and p0 their time complexity and probabilityof success, respectively. There is generic transformation which, for any QA, QB, and anyadversary, transforms it into a one-shot adversary with complexity T ≤ T0 + µAQA + µBQB

and probability of success p ≥ p0/QAQB.

Assuming that no adversary running a one-shot attack has a probability of success largerthan p, using Lemma 1, we can upper bound the probability of success of an attack whichuses QA, resp. QB, instances of Alice, resp. Bob. More precisely, it has a probability ofsuccess at most QAQBp.

3.4 Commitment Schemes

A commitment scheme can be seen as a “locked combination safe”. When Alice would commiton a message m, she placed m into the “safe” and closed it. The safe is also the commit objectc and can be given to another party. The message is revealed only when the combinationis known, i.e. the decommit d is revealed. Obviously, the message m cannot be known by

31

Sylvain Pasini

others party prior its opening, i.e. the “locked safe” is “hiding”, and cannot be modified byAlice, i.e. the “locked safe” is “binding”.

We can formalize a commitment scheme by two algorithms commit and open. For anymessage m we have (c, d) ← commit(m). The c value is called the commit value and the dvalue the decommit value. Knowing both c and d, the message can be recovered using theopen oracle, i.e. m← open(c, d). As a “locked safe”, a commitment scheme should be hiding,meaning that for any c, it is hard to deduce any information about the corresponding messagem, and binding, meaning that one cannot find c,d,d′ such that (c, d) and (c, d′) open to twodifferent messages.

We also introduce keyed commitment schemes which have in addition a setup oracle toinitialize a pair of keys, i.e. (Kp, Ks) ← setup(). The public key Kp is used in commit andopen oracles. Note that Kp may be empty.

3.4.1 Tag-Based Commitment Model

Tag-based commitment schemes are particular commitments schemes in which the message xis composed of two parts: a known part m called tag and an hidden part r. Let k be the bitlength of the hidden value r. The setup algorithm is the same as for tag-less commitments,but the two algorithms commit and open are redefined. The three algorithms are finally de-fined as follows.Setup algorithm. It yields a pair of keys (Kp,Ks).Commit algorithm. For any pair of keys (Kp,Ks), any tag m, and any value r we have(c, d)← commit(Kp,m, r).Open algorithm. From Kp, c, d and the tag m, the hidden value r can be recovered usingthe open oracle, i.e. r ← open(Kp, m, c, d).

Standard commitment schemes, as previously defined in which the message m′ is kepthidden, can be constructed using a tag-based commitment scheme with an empty tag, i.e.m =⊥, and an hidden value equals to the conventional message, i.e. r = m′. We have finallyx = m||r = m′.

3.4.2 Completeness, Hiding, and Binding Properties

We define here the completeness, hiding and binding properties for tag-based commitmentschemes.

Any commitment scheme must clearly satisfy the completeness property, i.e. a commitvalue c and a decommit value d which has been yield by the commit algorithm with input mand r would open to r. More formally, the completeness property is defined as follows.

Completeness property. For any pair of keys (Kp,Ks), any tag m, any value r, and any(c, d)← commit(Kp,m, r), we have r = open(Kp,m, c, d)

In addition, commitments schemes should be hiding, i.e. the commit value c reveals noinformation about the hidden value r. More formally, the hiding property is defined as follows.

32

3 - Preliminaries

Hiding property. For any pair of keys (Kp,Ks), any tag m, any values r0, r1, and any(c, d)← commit(Kp,m, rb), c gives no information on the random binary value b.

We defeat the hiding property with the semantic hiding (SH) game which is described onFig. 3.3: the adversary A selects a tag m and two hidden values r0 and r1 and sends themto the challenger C. The challenger flips an unbiased coin b and commits to (m, rb). Giventhe commit value the adversary guesses b and succeeds if the guess is correct. The scheme is(T, εh)-semantically hiding if any adversary A bounded by a complexity T has a probabilityof success at most 1

2 + εh.

A CKp←−−−−−−−−−−−−−− (Kp,Ks)← setup()

select m, r0, r1m||r0||r1−−−−−−−−−−−−−−→

pick b ∈ 0, 1c←−−−−−−−−−−−−−− (c, d)← commit(Kp, m, rb)

b← guess on b

Winning condition: b = b

Figure 3.3. SH Game.

We also can defeat the hiding property with the full hiding (FH) game which is describedon Fig. 3.4: The adversary picks a tag m and sends it to the the challenger C. C picks ahidden value r ∈ 0, 1k and commits on (m, r). C reveals the value c to the adversary A. Theadversary guesses r and succeeds if the guess is correct. The scheme is (T, εh)-fully hiding ifany adversaries A bounded by a complexity T has a probability of success at most 2−k + εh.

A CKp←−−−−−−−−−−−−−− (Kp, Ks)← setup()

select mm−−−−−−−−−−−−−−→

pick r ∈ 0, 1kc←−−−−−−−−−−−−−− (c, d)← commit(Kp,m, r)

r ← guess on rWinning condition: r = r

Figure 3.4. FH Game.

Note that a scheme is perfectly hiding if it is (∞, 0)-hiding.

Lemma 2 ([Vau05]). There exists a (small) constant v such that for any T and εh, a (T +v, εh)-semantically hiding scheme is a (T, 2εh)-fully hiding commitment scheme.

Obviously, a (T + v, εh)-fully hiding commitment scheme is (T, εh)-semantically hiding.Hence, the two notions of hiding commitment schemes are essentially equivalent.

In addition, commitments should be binding, i.e. an adversary which has committed ona value with c can not opens to two different hidden values r0 and r1. More formally, thebinding property is defined as follows.

33

Sylvain Pasini

Binding property. For any pair of keys (Kp,Ks) and any adversary A bounded by a com-plexity T , there exists a small ε such that A cannot find (m, r0, r1, c, d0, d1) whereopen(Kp,m, c, db) yields rb respectively for b = 0 and b = 1 and r0 6= r1 with probabil-ity bigger than ε.

The semantic binding (SB) game of Fig. 3.5 must be hard, i.e. for any tag m and any commitvalue c, it is hard to find two decommit values d and d′ such that r ← open(Kp,m, c, d) andr′ ← open(Kp,m, c, d′) with r 6= r′. The scheme is (T, εb)-semantically binding if given mand c any adversaries A bounded by a complexity T has a probability to find two decommitvalues d and d′ which is at most εb.

A CKp←−−−−−−−−−−−−−− (Kp,Ks)← setup()

select m, c, d, d′m||c||d||d′−−−−−−−−−−−−−−→ r ← open(Kp,m, c, d)

r′ ← open(Kp,m, c, d′)Winning condition: r, r′ 6=⊥ and r′ 6= r

Figure 3.5. SB Game.

We can also define the full binding (FB) game. As described on Fig. 3.6, it works asfollows: the adversary A selects a tag m and a commit value c. Then, he sends it to thechallenger C. C picks a random value r and sends it to A. The adversary A proposes adecommit value d and succeeds if it opens to r, i.e. r = open(Kp,m, c, d). The scheme is(T, εb)-fully binding if any adversaries A bounded by a complexity T has a probability ofsuccess at most 2−k + εb.

A CKp←−−−−−−−−−−−−−− (Kp,Ks)← setup()

select m,cm||c−−−−−−−−−−−−−−→

r←−−−−−−−−−−−−−− pick r ∈ 0, 1kd−−−−−−−−−−−−−−→ r ← open(Kp, m, c, d)

Winning condition: r = r

Figure 3.6. FB Game.

Note that a scheme is perfectly binding if it is (∞, 0)− binding.

3.4.3 Ideal Commitment Model

The notion of ideal commitment model describes a scheme which is perfectly hiding andperfectly binding.

For instance, an ideal commitment scheme can be implemented using a trusted third party(TTP) as follows.

34

3 - Preliminaries

The commit(m) algorithm consists of sending the message m securely to the TTP. TheTTP binds it to a unique commit value c, inserts (c, m) in a database with a protection flagand returns c to the owner. There is no decommit value.

4. c

3. c

2. store (c, m)protected in the database

1. commit(m)

BobAlice

TTP

Figure 3.7. Ideal Commitment: Commit Algorithm.

The open(c) algorithm is in fact a call to the TTP. The TTP clears the protection flag of(c,m) which becomes available for anyone.

2. clear protection flag on (c, m)

Alice Bob

TTP

4. m

3. open(c)

1. clear(c)

Figure 3.8. Ideal Commitment, Decommit Algorithm.

Ideal commitment can be also implemented using the notion of universal composablecommitment schemes as proposed by Damgard and Nielsen in [DN02]. Canetti and Fischlinin [CF01] propose another commitment scheme which behaves like an “ideal commitmentservice”. It is based on the common reference string model (CRS), see after, where all partiesuses or can access to the same common string.

3.4.4 Extractable and Equivocable Commitment Schemes

We define an extractable commitment scheme as an extension of a general tag-based com-mitment scheme in which there is an additional deterministic algorithm extract. With inputsm and c, the extract algorithm yields a r value, i.e. r ← extract(Ks,m, c) whenever thereexists d which opens to r using r ← open(Kp,m, c, d). Note that extractable commitmentsare perfectly binding since for a given m and a given c, only one r can be yield by the ex-tract algorithm. Thus, there exists only one d and any adversary looses the SB game withprobability 1.

We define an equivocable commitment scheme as an extension of a tag-based commitmentscheme in which there are two additional algorithms commit and equivocate. With inputm, the commit algorithm yields a fake commit value c and an information value ξ using thesecrete key Ks, i.e. (c, ξ) ← commit(Ks,m). Using Ks, and with inputs (m, r, c, ξ) wherec and ξ are outputs of commit algorithm, the equivocate algorithm yields a decommit value

35

Sylvain Pasini

d ← equivocate(Ks,m, r, c, ξ) such that (m, c, d) opens to the r value. Assume that for anyKp||Ks and any m, the distribution of fake commit values are identical to the distribution ofreal commit values for any r, equivocable commitments are perfectly hiding since a c can begenerated before and independently of the hidden value r.

Adversaries playing the SH, FH, SB, or FB games may have access or not to oracles. Forextractable commitments, they may query an extract(Ks, ·, ·) oracle, except on the target tagm. (Note that they have no access to Ks, but the oracle has.) For equivocable commitments,they may query commit(Ks, ·) and the related equivocate(Ks,m, ·, c, ξ) oracles, except on thetarget tag m, but cannot see the value ξ. (Namely: an oracle equivocate(Ks,m, ·, c, ξ) iscreated by commit(Ks, ·) so that Ks and ξ remain hidden to the adversary.)

3.4.5 Trapdoor Commitment Model

The notion of trapdoor commitment was introduced by Brassard-Chaum-Crepeau [BCC88].We define (tag-less) (T, ε)-trapdoor commitment schemes by four algorithms setup, commit,open, and equivocate. The first three work as before. The algorithm equivocate defeatsthe binding property by using the secret key Ks. There is no fake commitment algorithm.Indeed, the algorithm equivocate needs no additional information except Ks. Note that thisprimitive is a particular case of strongly equivocable commitment as described by Damgard-Groth [DG03].

More precisely, for any (Kp,Ks)← setup(), a trapdoor commitment scheme is such that

Commitment properties. The algorithms setup, commit and open form a tag-less commit-ment scheme which satisfies the completeness property, which is perfectly hiding, andwhich is (T, ε)-binding.

Trapdoor property. For any pair of keys (Kp,Ks) and any message m, the two distribu-tions

(c, d)← commit(Kp,m)

and (c ∈U C, d← equivocate(Ks,m, c)

)

are indistinguishable.

For instance, a trapdoor commitment based on the discrete logarithm problem was pro-posed by Boyar and Kurtz [BK90]. Another trapdoor commitment scheme was proposed byCatalano et al. [CGHGN01] which is detailed in the next section.

Trapdoor commitment schemes are perfectly hiding and computationnaly binding com-mitment schemes. Note that it is impossible to distinguish whether a committed value andits corresponding decommit value, i.e. (c, d) have been yield by using the standard commitalgorithm or by using the trapdoor, the equivocate algorithm, and choosing c uniformly atrandom.

In the Damgard-Groth construction, adversaries can query equivocate(Ks, ·, ·, ·) oracle(except on the selected c). In the Boyar-Kurtz and Catalano et al. constructions, theycannot.

36

3 - Preliminaries

3.4.6 Examples

Extractable Commitment Model Using a Random Oracle. Extractable commit-ment schemes can be designed from a random oracle H. Such a schemes were definedin Pass [Pas03]. The random oracle H yields from any input d a value c ← H(d), withc ∈ 0, 1h. The setup() algorithm actually returns no key at all.

The commit(m, r) algorithm with input hidden value r in 0, 1k picks a random value ein 0, 1`, builds d← r||e, and call the random oracle c← H(m||d).

The open(m, c, d) algorithm simply extracts r from d and checks that c = H(m||d).An extract(m, c) oracle can be added to this commitment scheme. Indeed, when there was

no collision on the outputs of the oracle H, the hidden value corresponding to a given tag mand commit value c queried to the oracle H can be extracted from the history of H queries.

Note that by allowing q queries to the oracle H, the scheme is (∞, q · 2−`−k)-extractablewith probability at least 1−q2 ·2−h−1. This scheme is pretty safe with h = 2` and k = 80 (seee.g. [Vau05]) and the oracle H can be typically an hash function, e.g. SHA-1 [SHA93, SHA95].

Commitment Scheme in the Common Reference String Model. We assume all im-plementations to use the same trusted public key, a common reference string (CRS), andbelieve that no corresponding secrete key is kept by anyone. Note that the use of the com-mon public key can be “hard-coded” or can be an access. As said before, Canetti andFischlin [CF01] propose a commitment scheme based on the CRS model which behaves like“ideal commitment scheme”. All commitment schemes below are in the CRS model.

Paillier-based Trapdoor Commitment Scheme. A trapdoor commitment scheme wasproposed by Catalano et al. [CGHGN01] based on the Paillier’s trapdoor permutation [Pai99].The proposed scheme is tag-less. It uses a RSA modulus N = pq and a value h ∈ ZN2 suchthat its order is a multiple of N . The public key is Kp ← (N, h) and the private key isKs ← (p, q, h).

The setup() algorithm outputs the two keys, Kp and Ks, as described previously.The commit(Kp, m) algorithm of a message m ∈ ZN picks uniformly two random values

r, s and outputs c ← (1 + mN)rNhs mod N2 and d ← (r, s). Note that the commit valuec is uniformly distributed for any m since r and s are uniformly distributed and (r, s) 7→rNhs mod N2 is the Paillier trapdoor permutation (see [Pai99]). We denote Fh(r, s) thispermutation.

The open(Kp, c, d) algorithm yields m by solving c = (1 + mN)rNhs mod N2 from d =(r, s) and Kp = (N, h).

The equivocate(Ks,m, c) algorithm uses the collision-finding function, i.e. given a commitc and a message m, one can find d← (r, s) such that c = (1+mN)Fh(r, s) mod N2 by usingthe trapdoor on the Paillier permutation and knowing p, q, i.e. (r, s)← F−1

h (c(1 + mN)−1).Thus, given a c, an adversary can find d for any message m and thus defeats the bindingproperty.

37

Sylvain Pasini

Pedersen Commitment Scheme. An interesting and simple tag-less commitment schemewas proposed by Pedersen in [Ped91].

The setup() phase consists of choosing two prime numbers p and q such that q dividesp−1. Let Gq the unique subgroup of order q of Z∗p and let g a generator of Gq. In addition, itpicks a random y ∈ Gq such that nobody knows loggy. The public parameters are (p, q, g, y).Note that the setup phase can be done by a trust third party.

The commit(Kp, m) algorithm with input message m ∈ Zq starts by picking a random` ∈ Gq and then computes c← gmy`. The decommit value is simply d← (m, `).

The open(Kp, c, d) algorithm has just to check that c = gmy`.This scheme is perfectly hiding since y` is a random value and thus c reveals no information

about m. On the other hand, this scheme is computationally binding. Indeed, an adversarywho can win against the tag-less SB game proceeds as follows: He discloses some c, d, d′ suchthat d = (m, `), d′ = (m′, `′), m 6= m′, and c = gmy` = gm′

y`′ . The secret parameter leaksby logg(h) = m−m′

`′−`

A Tag-based Equivocable Commitment Scheme. We present here a tag-based trap-door commitment scheme from MacKenzie and Yang [MY04]. The scheme is based on thePedersen commitment scheme [Ped91] and on the DSA signature scheme [DSS94, DSS00].

The setup() algorithm generates a DSA pair of keys (Kp,Ks), i.e.

Kp = (g, p, q, y), Ks = x.

The commit(Kp,m, r) algorithm with input r in Zq picks a k and computes g′ and h asfollows.

k ∈U Zq, g′ ← gk mod p, h← gH(m)yg′ mod p.

Note that (rDSA, sDSA) is a DSA signature of m where rDSA = g′ mod q and sDSA = logg′(h),i.e. sDSA = H(m)+xr

k .Then, it uses the Pedersen commitment scheme to commit on r using (g′, h) as public pa-rameters, i.e. it picks ` and computes c′ as follows.

` ∈ Zq, c′ ← (g′

)`hr.

Finally, the commit value c and the decommit value d are the following.

c← (g′, c′), d← (r, `)

The open(Kp,m, c, d) algorithm computes h as follows.

h← gH(m)yg′ mod p

Then, it checks thatc′ =

(g′

)`hr

and if the condition is verified it outputs r, otherwise it outputs ⊥.These three first algorithms form a commitment scheme. In addition, this scheme as a

commit(Ks,m) algorithm which use the secrete key Ks to yield a fake commit value andadditional information which are required by the equivocate algorithm.

38

3 - Preliminaries

The commit(Ks,m) algorithm computes a DSA signature σDSA ← (rDSA, sDSA) on musing the secrete key Ks, i.e.

k ∈ Z∗q , rDSA ← gk mod p mod q, sDSA ← H(m) + xrDSA

kmod q.

Then, it computes g′ and h as

h← gH(m)yrDSA mod p, g′ ← hs−1DSA mod p

and picks ` and computes c′ as

` ∈ Zq, c′ ← h` mod p.

Finally, the fake commit value c and the auxiliary information ξ are

c← (g′, c′), ξ ← (`, sDSA).

Note that g′ is in fact equal to gk mod p.The equivocate(Ks,m, r, c, ξ) algorithm outputs a fake decommit value d such that open(Kp,m, c, d)

yields r. Thus, it must find a d, i.e. a ˆ (since r is given), such that

c′ = (g′)ˆhr mod p

which can be written asc′ = (g′)ˆ

grH(m)yrg′ mod p.

But, we know that y = gx mod p and g′ = gk mod p and we obtain

c′ = gk ˆ+rH(m)+xrg′ mod p.

In reality, the c′ value yields by the commit algorithm is

c′ = h` mod p = gH(m)`+xrDSA` mod p.

Recall from DSA that g is of order q. Thus, we can deduce that

k ˆ+ rH(m) + xrg′ = H(m)` + xrDSA` mod p− 1.

Note that rDSA = g′ mod q. We have

ˆ= (`− r)H(m) + xrDSA

kmod q

Consequently, we obtainˆ= (`− r)sDSA mod q

and this is the reason why ` and sDSA are in the extra information ξ.Note that this scheme has a stronger binding property called simulation sound binding

property which guarantees that a commitment made by an adversary with tag m is bindingeven if he has seen many simulated commit values but never a commitment using m. It isshowed in [MY04] that if an adversary can break this property then it can also break DSA.

39

Sylvain Pasini

3.5 Hash functions

3.5.1 Collision-Resistant Hash Functions

A collision-resistant hash function (CRHF) is a hash function in which it should be hard tofind two inputs x and y such that H(x) = H(y) and x 6= y. Due to the birthday attacks, theoutput space must be at least of 2160.

3.5.2 Weakly Collision-Resistant Hash Functions

Weak collision resistance means that the game of Fig. 3.9 is hard. Assume a (T, ε)-weaklycollision-resistant hash function (WCRHF) H defined on a finite set X . For any adversaryA bounded by a complexity T , A wins the WCR game on Fig. 3.9 with probability smallerthan ε.

A Cx←−−−−−−−−−−−−− pick x ∈U Xy−−−−−−−−−−−−−→

winning condition: H(y) = H(x) and y 6= x

Figure 3.9. WCR game.

3.5.3 Universal Hash Functions Families

An ε-universal hash function family (UHFF) is a collection of functions HK from a messagespace to a finite set 0, 1k which depends on a random parameter K such that for any x 6= ywe have

Pr[HK(x) = HK(y)] ≤ ε.

where the probability is over the random selection of K.

40

Chapter

FOUR

On the Required Entropy of AuthenticatedCommunications

In this chapter, we would like to upper bound the security of an arbitrary message authentica-tion protocol P given the amount of authenticated strings it uses. Assume that the protocolis used between Alice and Bob. We consider the more general case by supposing that theprotocol can use any sequence of authenticated messages in a given set S during the protocol.We call it a transcript. Note that authenticated strings are interleaved with regular messageswhich are not represented in the transcript. For any input message m, the used transcriptduring a protocol instance is picked in the set S of all possible transcripts with a distributionDm.

First, we analyze the security against one-shot adversaries, which can only use one instanceof Alice and one instance of Bob.

Second, we consider adversaries which can use many instances of Alice and Bob. Usinga weak authenticated channel, adversaries can delay or replay authenticated messages. Withprotocols using a single k-bit SAS, we have the following attacks.

Delay attack. An attacker can start a protocol with Alice to recover an authenticated SAS.Then he can launch several protocols with Bob until a SAS matches and then deliverthe SAS to this instance of Bob.

Catalog attack. Similarly, an attacker can launch several instances of Alice and use anauthenticated SAS to pass the authentication with Bob. This attack works when theSAS catalog is close to the complete one.

Trade-off attack. We can further trade the number of Bob’s instances against the numberof Alice’s instances and have a birthday paradox effect.

Note that the first two attacks work within a number of trials around 2k but the third oneneeds only around 2k/2 trials.

41

Sylvain Pasini

4.1 A Generic One-Shot Attack

Theorem 1. We consider an arbitrary message authentication protocol between Alice andBob which uses an authentication channel. Let S be the set of all possible protocol transcriptsthrough the authentication channel for any input message. Let s be its cardinality. Thereexists a generic one-shot attack with probability of success greater than 1

s − 2−t which runsin polynomial time in terms of t (with equality 1

s − 2−t if and only if the SAS distribution isuniform among S).

Theorem 1 says that there exists a one-shot attack against any message authenticationprotocol which succeeds with probability at least essentially 1

s where s is the size of S. Thus,any message authentication protocol which has no better one-shot attack is essentially optimalsince any other protocol can be attacked using this generic attack and consequently can nothave a better security. In addition, Theorem 1 says that a protocol is more resistant toone-shot attacks when its SAS distribution is uniform.

Proof. We consider a general man-in-the-middle attack in which the adversary first picksm ∈U 0, 1t and m ∈U 0, 1t and launches Alice with input m. The attack runs synchro-nized protocols between Alice and a simulator for Bob, and a simulator for Alice with inputm and Bob as depicted on Fig. 4.1. Following the attack, every authenticated message which

Adversary

Simulatorof Bob

Simulatorof AliceAlice Bob

Figure 4.1. Generic One-Shot Attack

must be sent by the simulator is replaced by an authenticated message which has just beenreceived by the simulator.

Let SASm be the (random) sequence of all authenticated strings (the transcript) whichwould be exchanged in the protocol between Alice and the simulator if the simulator wherehonest, and SASm be the similar sequence between the simulator and Bob. Clearly, ifSASm = SASm, the attack succeeds. Note that an attack makes sense only if m is dif-ferent of m.

We have

Pr[success] = Pr[SASm = SASm and m = m]≥ Pr[SASm = SASm]− Pr[m = m].

Note that SASm and SASm are two identically distributed independent random variableswhose support are included in S. Due to Lemma 4 (see Appendix) we can write

Pr[SASm = SASm] ≥ 1s

where the equality occurs if and only if the SAS distribution is uniform.Since m and m are uniformly distributed in 0, 1t, we have Pr[m = m] = 2−t. Finally,

we obtainPr[success] ≥ 1

s− 2−t

42

4 - On the Required Entropy of Authenticated Communications

where the equality occurs if and only if the SAS distribution is uniform among the set S.

4.2 A Generic Multi-Shot Attack

In this section, we sketch a generic attack bounded by QA, resp. QB, instances of Alice, resp.Bob, which works against any message authentication protocol.

Theorem 2. We consider an arbitrary message authentication protocol between Alice and Bobwhich uses a weak authenticated channel. Let S be the set of all possible protocol transcriptsthrough the authenticated channel for any input message and let s be its cardinality.

There exists a generic attack which uses QA instances of Alice and QB instances of Bobwith probability of success approximatively 1− e−

QAQBs .

Proof. We consider that the adversary can use QA instances of Alice and QB instances ofBob. As before, we consider a general man-in-the-middle attack. The adversary first picksmi ∈U 0, 1t with i = 1, .., QA and mj ∈U 0, 1t with j = 1, .., QB and launches severalinstances of Alice with input mi. For each instance of Alice, the attack runs a synchronizedprotocol with a simulator for Bob and for each instance of Bob, it runs a simulator for Alicewith input mj . Every authenticated message which must be sent by a simulator of Alice isreplaced by an authenticated message which has just been received by a simulator of Bob.

Let SASi be the (random) sequence of all authenticated strings (the transcript) whichwould be exchanged in the protocol between Alice and the simulator of Bob if the simulatorwhere honest, and SASj be the similar sequence between the simulator of Alice and Bob.Let S the set of all possible protocol authenticated transcripts and s its cardinality. Notethat all SASi and all SASj are independent and identically distributed among the set S andlet D their distribution.

Clearly, if there exists a couple (i, j) such that SASj = SASi, the attack succeeds. Notethat an attack makes sense only if the mj is different of the mi. Consequently, the probabilityof success can be written as

Pr[success] = Pr[∃ i, j s.t. (SASi = SASj and mi 6= mj)]

= 1− Pr[∀ i, j, (SASi 6= SASj or mi = mj)]

≥ 1− Pr[∀ i, j, SASi 6= SASj or ∀ i, j, mi = mj ]

≥ Pr[∃ i, j s.t. SASi = SASj ]− Pr[∃ i, j s.t. mi = mj ]

Pr[∃ i, j s.t. mi = mj ] is constant for all message authentication protocols and is smaller thanQAQB2−t.

Thus, it remains to upper bound Pr[∃ i, j s.t. SASi = SASj ]. Using Lemma 5 (seeAppendix B), we can bound this probability by the one using a uniform distribution, i.e.

Pr[∃ i, j s.t. SASi = SASj ] ≥ Pr[∃ i, j s.t. SASi = SASj |D is uniform].

Consequently, we can approximate the probability of collision using the birthday paradoxand finally we obtain

Pr[success] ≈ 1− e−QAQB

s −QAQB2−t.

43

Sylvain Pasini

4.3 A Generic Multi-Shot Attack Against Non-Interactive Pro-tocols

We can also provide a generic attack against any non-interactive message authenticationprotocol (NIMAP).

Theorem 3. We consider an arbitrary NIMAP between Alice and Bob which uses a weakauthenticated channel. Let S be the set of all possible protocol transcripts through the authen-tication channel for any input message. Let s be its cardinality. There exists a generic attackwhich uses QA instances of Alice, one instance of Bob, and an offline complexity O(T ) with

probability of success approximately 1− e−T ·QA

s .

Proof. We consider the generic attack in which the adversary starts by simulating T Aliceinstances launched with random inputs mi and obtains a list of possible SAS, i.e. SASi.Then, he launches QA real instances of Alice with random inputs mj and consequently obtainsQA authenticated SAS, i.e. SASj . The attack succeeds when at least one authenticated SASreleased by Alice corresponds to a computed one, i.e. there exists k, ` such that SASk = SAS`.The adversary can launch a single Bob with input m` by simulating Alice and can use SASk

for the authentication when needed.If the distribution of all SAS is uniform, we have a birthday effect and thus the probability

of success is approximately 1−e−T ·QA

s . When the distribution is not uniform, the probabilityis even larger du to Lemma 5 (see Appendix B).

4.4 A Short Overview

In conclusion, we have three theorems which are proving the best expected security of anymessage authentication protocol. More precisely,

Theorem 1 says that there exists a one-shot attack against any message authentication pro-tocol, either interactive or non-interactive, which succeeds with probability essentially1s where s is the size of the set S of all possible transcripts.

Theorem 2 says that there exists a generic attack bounded by QA instances of Alice andQB instances of Bob against any message authentication protocol which succeeds withprobability essentially 1− e−

QAQBs .

Theorem 3 says that there exists a generic attack bounded by a complexity T againstany NIMAP which uses a weak authenticated channel which succeeds with probabilityessentially 1− e−

T ·QAs where QA is the number of instances of Alice used. Hence, they

cannot be secure unless T ·QA is negligible against s.

44

Chapter

FIVE

Non-Interactive Authentication Protocols

We call non-interactive message authentication protocols (NIMAP) the message authentica-tion protocols in which the insecure and the authenticated channels are unidirectional, i.e.from Alice to Bob. Consequently, Alice can only send messages and Bob can only receive it.

AUTHENTICATED

INSECUREAlice Bob

Adversary

Figure 5.1. Non-Interactive Channels Model

We will start to study two popular protocols. The first one is used nowadays in many ap-plications which require key exchange, for instance applications such as GPG or SSH. It waspresented by Balfanz et al. [BSSW02] and requires a collision resistant hash function (CRHF)but weak authentication only. To achieve enough security, it requires 160 authenticated bits.The second protocol was published by Gehrmann-Mitchell-Nyberg [GMN04]. It allows to au-thenticate a message with only 16–20 authenticated bits but requires a stronger authenticatedchannel.

In a second time, we will propose a new protocol which has the same security than the firstone presented but using less authenticated bits, without any stronger communication model,and without requiring the hash function to be collision-resistant. Our protocol is based on atrapdoor commitment scheme.

45

Sylvain Pasini

5.1 A Non-Interactive Authentication Protocol Based on aCollision-Resistant Hash Function

On Fig. 5.2 is depicted the non-interactive protocol presented by Balfanz et al. [BSSW02]which is based on a collision resistant hash function.

Alice Bobinput: m

m−−−−−−−−−−−−−−→h← H(m)

authenticateAlice(h)−−−−−−−−−−−−−−→ check h = H(m)output: Alice, m

Figure 5.2. Non-Interactive Message Authentication using a CRHF.

Note that the authenticated string is fixed by a non-probabilistic algorithm from the inputmessage m, i.e. the authenticated string is H(m). Thus, the authenticated string is the samefor each instance of the protocol which uses the same input m. This particularity allowsadversaries to run attacks completely offline. An adversary has simply to find a collisionon the hash function H between two messages m1 and m2, i.e. H(m1) = H(m2) and thensucceeds with probability 1.

Theorem 4 ([Vau05]). Let µ be the overall time complexity of the message authenticationprotocol in Fig. 5.2 using weak authentication. We denote by T , Q, and p the time complexity,number of oracle queries launch, and probability of success of adversaries, respectively. Thereis a generic transformation which transforms any adversary into a collision finder on H whosecomplexity is T + µQ and probability of success is p.

In short, the best known offline attack against this protocol is the collision attack. Usinga time complexity of T hash computations, an adversary has a probability of success of1− e−

12T 22−k

. It clearly succeeds for T = O(2k/2)The generic attack against non-interactive protocol of Theorem 3 can be run here. Any

adversary has a probability of success 1−e−−T ·QA

s where the adversary is bounded by T hashcomputations and QA instances of Alice and a single instance of Bob. Obviously, this attackis not optimal for small QA.

Collision resistance requires the number of authenticated bits to be at least 160 and cannotbe reduced considering offline attacks and using only weak authentication.

5.2 A Non-Interactive Authentication Protocol using StrongAuthentication

On Fig. 2.2 is depicted a non-interactive authentication protocol taken from Gehrmann-Mitchell-Nyberg [GMN04]1. They have proposed three protocols, MANA I, MANA II, andMANA III. The name MANA was chosen for MANual Authentication.

1Note that the original MANA I protocol is followed by an authenticated acknowledgment from Bob toAlice in [GMN04].

46

5 - Non-Interactive Authentication Protocols

In short, MANA I was designed for situation where one device has a display and the otherhas a keypad. MANA II is a variant of MANA I for situations where the second device hasin addition a display. Finally, MANA III was designed for situation where both devices havea keypad. Note that MANA I and MANA II were originally published in [GN01]. Then, thefirst one was called MANA I in [GN04] and Mechanism I in [MUM03].

MANA I uses a universal hash function family H. Proposed constructions lead to 16–20bit long SAS values but require strong authentication 2. Indeed, using weak authentication,an adversary who gets authenticate(K||µ) has enough time to find a message m such thatµ = HK(m) and to substitute m with m. We can also achieve security with a strongerauthenticated channel which achieves stall-free transmissions.

Alice Bobinput: m

m−−−−−−−−−−−−−−→pick K ∈U 0, 1k

µ← HK(m)authenticateAlice(K||µ)−−−−−−−−−−−−−−→ check µ = HK(m)

output: Alice, m

Figure 5.3. The MANA I Protocol.

Using only an authenticated hash value, i.e. k = 0, an offline attack succeeds withprobability 1 and time complexity O(2`/2) by simply finding a collision. In fact, it is theprotocol of Fig. 5.2. Using only an authenticated random variable makes no sense since itdoesn’t authenticate the message. MANA I is a trade off: it authenticates the message, butuses a random value to avoid offline attacks.

Theorem 5. Given an ε-universal hash function family H, any adversary bounded by acomplexity T and by QA (resp. QB) instances of Alice (resp. Bob) against the protocol ofFig. 5.3 and using stall-free authentication has a probability of success at most QAQBε.

Proof. A one-shot adversary has no advantage to send m before it has received m and hecannot send m after K||µ is released. Indeed, he would not be able to send m after receivingK||µ due to the stall-free assumption. Thus, the attacker must select m and m and hopethat HK(m) = HK(m). Clearly, the assumption on H limits the probability of success to ε.

Now, consider powerful adversaries. Using Lemma 1, we can deduce that the probabilityof success of an adversary is at most QAQBε.

We see that any adversary has a non-negligible probability of success when QAQB is near1/ε.

2Note that strong authentication renders the protocol “less non-interactive”.

47

Sylvain Pasini

5.3 A Proposed Non-Interactive Authentication Protocol us-ing Weak Authentication Only

Consider the protocol depicted on Fig. 5.4 in which the message m is transmitted by sending(c, d) ← commit(m). This message can be recovered by anyone using the open function. Toauthenticate this message, the hashed value of c is sent using an authenticated channel. Weprove that this protocol is secure with authenticated strings which can be shorter than in theactual protocol of Fig. 5.2.

Kp

↓Kp

↓Alice Bob

input: m

(c, d)← commit(Kp,m)c||d−−−−−−−−−−−−−−→ m← open(Kp, c, d)

h← H(c)authenticateAlice(h)−−−−−−−−−−−−−−→ check h = H(c)

output: Alice, m

Figure 5.4. Non-Interactive Message Authentication Based on a WCRHF.

A non-deterministic commitment scheme is the heart of this protocol since an attackercannot predict the c value and thus cannot predict the H(c) value which is the authenticatedone. Commitment is assumed to be set up in the Common Reference String (CRS) model.

Lemma 3. Consider the message authentication protocol depicted in Fig. 5.4. We assumethat the function H is a (T + µ, εh)-weakly collision resistant hash function and the commit-ment scheme is a (T + µ, εc)-trapdoor commitment scheme in the CRS model. There existsa (small) constant µ such that for any T , any one-shot adversary against this message au-thentication protocol with complexity bounded by T has a probability of success p smaller thanεh + εc.

Recall that the c value is sent through the insecure broadband channel and thus has notto be minimized. Thus, we can use an εc as small as desired since we can use any commitmentscheme as secure (as long) as desired.

Assuming that H is optimally WCR, the best WCR attack using T hash computationshas a probability of success εh ≈ 1− e−T2−k

. So, we need T = Ω(2k) to succeed with a one-shot attack. Thus, using the same amount of authenticated bits as the protocol of Fig. 5.2,our protocol has a better resistance against offline attacks. Equivalently, we can achieve thesame security as the protocol of Fig. 5.2 using only half amount of authenticated bits, e.g.80 bits.

Proof. A one-shot adversary A against the protocol in Fig. 5.4 follows the game depicted onFig. 5.5 in which it runs a man-in-the middle attack.

Clearly, it can be reduced to an adversary A who plays the game described in Fig. 5.6.Assume a one-shot adversary A bounded by a complexity T . Given c, the adversary A

has to find a c such that H(c) = H(c). In addition, it must find a d which opens to m (using

48


Kp

↓Kp

↓Kp

↓Alice A Bob

m←−−−−−−(c, d)← commit(Kp,m)

c||d−−−−−−→ c||d−−−−−−→ m← open(Kp, c, d)h← H(c) h−−−−−−−−−−−−−−−−−−−−→

Winning condition: H(c) = h and m 6= m

Figure 5.5. Game Against the Proposed Protocol.

A CKp←−−−−−− (Kp,Ks)← setup()m−−−−−−→

c||d←−−−−−− (c, d)← commit(Kp,m)c||d−−−−−−→ m← open(Kp, c, d)

Winning condition: H(c) = H(c) and m 6= m

Figure 5.6. Reduced Game.

c) which is different from the input m. He can of course choose a c either equal or eitherdifferent to c. We study the two cases.

Case 1. (c = c) The adversary A chooses c equal to c and obviously fulfills the conditionH(c) = H(c). As depicted on Fig. 5.7, we can reduce the adversary A to an adversaryagainst the binding game of Fig. 5.4. We use an algorithm B bounded by complexity µwhich plays the binding game with a challenger C on one side and simulates a challengerfor A on the other side at the same time. Using adversary A and algorithm B, weconstruct an adversary AB which plays the binding game. Note that adversary AB hasa complexity bounded by T + µ.

First, the challenger C generates the pair of keys (Kp,KS) and sends Kp to B. B sendsit to A and receives a message m from A. He computes (c, d) using the commit functionwith Kp and sends c||d to A. As assumed, A chooses a c equal to c and also sends c||dto B. B can now deduce m using the open function with inputs c and d. Finally, Bsends all required values to the challenger C.Note that B simulates perfectly a challenger for A. Hence, A and AB win their re-spective game at the same time. Consequently, both win with the same probability ofsuccess. Recall that the probability of success of an adversary bounded by a complexityT + µ against the binding game of Fig. 5.4 is smaller than εc when the commitmentscheme is a (T + µ, εc)-trapdoor commitment. Hence, the probability that A succeedsand c = c is at most εc.

Case 2. (c 6= c) The adversary A searches a c different from c. As depicted on Fig. 5.8, wecan reduce the adversary A to an adversary against a second preimage search game.We use an algorithm B bounded by a complexity µ with the help of one query to theequivocate oracle. B plays the second preimage game with a challenger C on one side

49

Sylvain Pasini

A B CKp←−−−− Kp←−−−−−− (Kp, Ks)← setup()m−−−−→

c||d←−−−− (c, d)← commit(Kp,m)

(c = c)c||d−−−−→ m← open(Kp, c, d)

c||d||d−−−−−−→ m← open(Kp, c, d)m← open(Kp, c, d)

Winning condition: m,m 6=⊥ and m 6= m

Figure 5.7. Reduction to the SB Game (c = c).

A B CKp←−−−−−− (Kp, Ks)← setup()m−−−−−−→

c←−−−−−− pick c ∈U Cc||d←−−−−−− d← equivocate(Ks, m, c)c||d−−−−−−→ m← open(Kp, c, d)

c−−−−−−→Winning condition: H(c) = H(c) and m 6= m

Figure 5.8. Reduction to the WCR Game (c 6= c).

and simulate a challenger for A on the other side at the same time. Using adversary Aand algorithm B, we construct an adversary AB which plays the second preimage gamewith the challenger C. Note that adversary AB has a complexity bounded by T + µ.

First, B generates the keys and sends Kp to A. B receives a message m from A andreceives a challenge c from C . B can deduce the decommit value d by calling theoracle equivocate(m, c). Note that c has been picked uniformly and consequently thedistribution of (c, d) is the same as if they have been yield by the commit algorithm.Then, B can send c||d to A. A sends a c||d to B. Finally, B sends it to the challenger C.Note that B simulates perfectly a challenger for A. Hence, A and AB win their re-spective game at the same time and consequently with the same probability of success.Recall that the probability of success of an adversary against a second preimage gamebounded by a complexity T + µ is smaller than εh when H is a (T + µ, εh)-weaklycollision-resistant hash function. Hence, the probability that A succeeds and c 6= c isat most εh.

We conclude that any one-shot adversary bounded by a complexity T against the protocolof Fig. 5.4 has a probability of success smaller than εc+εh when the protocol uses a (T +µ, εh)-weakly collision resistant hash function H and a (T +µ, εc)-trapdoor commitment scheme.

We now consider powerful adversaries.

Theorem 6. Consider the message authentication protocol depicted in Fig. 5.4. We assumethat the function H is a (T + µ, εh)-weakly collision resistant hash function and the commit-

50


ment scheme is a (T + µ, εc)-trapdoor commitment scheme in the CRS model. There existsa (small) constant µ such that for any T , any adversary against this message authenticationprotocol with complexity bounded by T and with number of Alice’s (resp. Bob’s) instancesbounded by QA (resp. QB) has a probability of success p at most QA(εh + εc).

Assuming that WCR hash functions and trapdoor commitments such that εc ¿ εh =O(T2−k) exist, we have p = O(T · QA2−k) which meets the data of the generic attack fromTheorem 3 for T · QA ¿ 2k. Hence, our protocol is essentially optimal. As an example,assuming that an adversary is limited to QA ≤ 210, T ≤ 270, and that the security levelrequires p ≤ 2−20, the protocol of Fig. 5.2 requires k ≥ 160 and our protocol requires k ≥ 100.Using MD5 [Riv92], our protocol still achieves a quite luxurious security even though collisionshave been found on MD5 [WY05].

Proof. Consider an adversary who launches QA instances of Alice and QB instances of Bob.Clearly, we can simulate all instances of Bob, pick one who will make the attack succeed, andlaunch only this one. Hence, we reduce to QB = 1. Recall from Lemma 3 that any one-shotadversary has a probability of success smaller than εh + εc. Using Lemma 1, we conclude thatany adversary has a probability of success at most QA(εh + εc).

In conclusion, using the same amount of authenticated bits than the protocol of Fig. 5.2,we conclude that both have the same security against online attacks, but this latter protocolhas a better resistance against offline attacks.

51

Sylvain Pasini

52

Chapter

SIX

Interactive Authentication Protocol

In this chapter, we will recall the Vaudenay [Vau05] SAS-based message authentication pro-tocol. In a second time, we will present two implementations. The first one is a modificationof OpenSSH which allows users to use this protocol. The second application is a genericpeer-to-peer file authentication which allows two distant users to authenticate any files suchas public keys, and if required to exchange it assuming that they knows the distant voice andthey can authenticate it.

6.1 The Vaudenay SAS-based Protocol

On Fig. 6.1 is depicted the SAS-based message authentication protocol taken from Vaude-nay [Vau05]. In this protocol, Bob will authenticate a message m from Alice. After theexchange of the three first messages through the insecure channel, Alice has to authenticatea short string SAS = RA ⊕RB where RA and RB are randomly selected at the beginning byAlice and Bob respectively.

Alice Bobinput: m

pick RA ∈U 0, 1k pick RB ∈U 0, 1kc||d← commit(m||RA)

m||c−−−−−−−−−−−−−−→RB←−−−−−−−−−−−−−−d−−−−−−−−−−−−−−→ RA ← open(m, c, d)

SAS← RA ⊕ RBauthenticateAlice(SAS)−−−−−−−−−−−−−−→ check SAS = RA ⊕RB

output: Alice, m

Figure 6.1. SAS-based Message Authentication.

Recall that using a weak authentication channel, the adversary can delay or replay au-

53

Sylvain Pasini

thenticated messages. These two channel defects can lead to powerful attacks as seen onthe beginning of Chapter 4. This protocol resists to general attacks run by any adversarybounded by a number of protocol runs, i.e. the online complexity. Indeed, assuming thathiding commitment schemes exist, this protocol resists to offline attacks.

6.2 Short Security Analysis, Optimality

Due to interactivity, this protocol does not allow offline attacks. In addition, the authenticatedstring is uniformly distributed and independent of the message m. Vaudenay [Vau05] provesthat a one-shot attack has a probability of success at most 2−k + ε where ε ≥ 0 represents asmall advantage for attackers due to a non-perfect commitment scheme (non perfectly hiding).

Theorem 7 ([Vau05]). We consider one-shot adversaries against the message authenticationprotocol in Fig. 6.1. We denote by T and p their time complexity and probability of success,respectively. We assume that the commitment scheme is either (TC , ε)-extractable or (TC , ε)-equivocable. There exists a (small) constant µ such that for any adversary, we have eitherp ≤ 2−k + ε or T ≥ TC + µ.

In addition, he proves in [Vau05] that attacks which use QA instances of Alice and QB

instances of Bob have a probability of success against this protocol at most QAQB(2−k + ε).Note that the proof was done using Lemma 1. Consequently, any adversary which can useat least Q instances of Alice and Bob have a probability of success less than Q2

4 (2−k + ε).This meets the data of the generic attack from Theorem 1 for q ¿ 2k. So, the protocol isessentially optimal.

Theorem 1 tells us that the security of the protocol of Fig. 6.1 is optimal among all com-parable protocols since it reaches the maximal security of a message authentication protocoland these it cannot exists a better protocol using the same amount of authenticated bits.

6.3 A First Application: OpenSSH

Since SSH uses public key cryptography, it needs public key exchange and thus an authen-tication step is required. Most of the time, the authentication of the distant public key ismade by comparing the footprint computed locally by the client with the distant footprint,which is obtained from the SSH server in an authenticated way. One advantage of this wayis the non-interactivity. Fig. 6.2 shows a possible SSH connection setup between a client anda server.

Actually, the major drawback is that users often accept the distant public key by justanswering “yes” to the first question without checking the fingerprints. This leads to thenon-authentication of the distant public key and thus to a security problem.

To improve the security of OpenSSH, we have implemented the Vaudenay SAS-basedmessage authentication protocol [Vau05] in addition to the existent method. We use theauthentication protocol to authenticate the remote public key (from the server). This newmethod forces the user to authenticate the public key since it can not continue until it hasnot entered the valid SAS. Indeed, he must type the true SAS (and not just answer “yes”).

54

6 - Interactive Authentication Protocol

#> ssh pasini@lasecpc12The authenticity of host ’lasecpc12 (128.178.73.67)’ can’t beestablished.RSA key fingerprint isfb:0c:0e:bc:fd:c7:3d:68:e9:8b:2d:6b:c6:ae:88:e2.Are you sure you want to continue connecting (yes/no)? yes

30651: Warning: Permanently added ’lasecpc12,128.178.73.67’ (RSA)to the list of known hosts.

Password: ********

Have a lot of fun...

#> exitlogoutConnection to lasecpc12 closed.

Figure 6.2. Connection to a Remote Host using a Conventional Protocol

Unconscious users cannot use the system as before accepting all keys without authentication.Thus, this new system guarantees to the network a higher security. Fig. 6.3 gives us an exam-ple of an OpenSSH connection setup using the Vaudenay SAS-based message authentication.

We have tried to render our implementation compatible with other OpenSSH systems.Indeed, we have added the option -Z to both client and server. In particular, if the serverwould accept to use the Vaudenay SAS-based protocol [Vau05], the administrator must spec-ify the option -Z when he launches the daemon. Consequently, when the server send hisversion to the client, the string is SSH− 1.99− OpenSSH 3.9p1-sas. The last option indi-cates that the server could use the Vaudenay SAS-based protocol [Vau05]. The conventionalimplementations of OpenSSH would accept this version since it stops before the -. Similarly,if the client would use the Vaudenay SAS-based protocol [Vau05] for the authentication, hehave to specify the option -Z in the command line. During the parameters negotiation, theydetermine whether they use the new protocol or not. Four cases are now possible. The newprotocol is of course used only if both have enabled the SAS protocol, i.e. they sends a versionterminating with -sas.

Recall that the only manner to attack the SAS-based protocol of Fig. 6.1 is launchingseveral protocol instances which is not hard to detect.

This method of authentication would be perfect if it did not have the following defect:

The SAS must be obtained (and authenticated) for each unknown distant public key,for instance by phone if the administrator voice is known, or physically otherwise.

Suppose an administrator is responsible of a very big number of hosts, for instance a depart-ment of EPFL. He has to respond to a big number of phone calls or to encounter some studentssince his voice is not known by them. When a user starts a connection with an unknownhost, he needs the corresponding SAS. The administrator must be available at this moment

55

Sylvain Pasini

On the client side:

#> /scratch/pasini/myssh/bin/ssh -Z pasini@lasecpc16From the server : SSH-1.99-OpenSSH_3.9p1-sasUse SAS authentication.Start SAS protocol:

Wait on commit... Done.Commit=22348769876106551

Pick Rc. Rc=747Send Rc.Wait on decommit...Done.

Fingerprint=37:3a:3d:96:4b:c8:04:de:bc:3a:2b:c3:5c:d5:bd:f6Rs=990

Commit received valid

Enter the SAS: 1737 [entered by the user]SAS correct

pasini@lasecpc16’s password: ******** [entered by the user]

#> exitlogoutConnection to lasecpc16 closed.

On the server side (daemon output):

#> /scratch/pasini/myssh/sbin/sshd -ZSAS authentication enabled by the daemon.Start infinite loop

Child created to handle connection, pid=28649.Start SAS protocol:

Compute commit and decommitDecommit=37:3a:3d:96:4b:c8:04:de:bc:3a:2b:c3:5c:d5:bd:f6-990Commit=22348769876106551

Send the commit.Wait on Rc...Done.

Received Rc=747Send the decommit.Compute the SAS.

SAS=1737Save the SAS in the SAS database (for administrator).

On the server side (SAS database):

128.178.73.71 1737 [new line created]

Figure 6.3. Connection to a Remote Host using the SAS-Based Protocol

56


which can be impossible in some cases. Using the conventional way, the administrator mustbe available too, but not necessarily at the same time since the protocol is non-interactive. Inconclusion, this new system is more secure in particular for unconscious users. On the otherhand, it is not practically usable in most cases.

Possible applications of this implementation can be the exchange of public keys betweendistant users (or companies) that require a high security and very quickly. As presented inthe introduction, suppose for instance a disaster cause in a bank and the administrator is intrip. Thus, he must establish a very quick connection with the server using a new generatedpair of keys. The administrator is forced to authenticate the public key (very) quickly. Usingthe SAS-based protocol, he has just to call the bank, starts the protocol, and finally typesthe SAS which has been obtained with the help of a responsible person. In this case, thesecurity can be achieved with few bits, typically 15 bits, which is much less than the 160 bitsof a fingerprint.

6.4 A Peer-To-Peer File Authentication

In Section 6.3, we have seen that the implementation in OpenSSH of the Vaudenay SAS-basedmessage authentication protocol [Vau05] was a problem. Indeed, the interactivity forced theadministrator to be available at “any time” to exchange some SAS. This reason encouragedus to propose a better application for this protocol. It seems reasonable to assume that twousers, who can arrange themselves between them, can be available during the exchange of amessage, e.g. a public key. In this section, we propose a peer-to-peer application that helpto authenticate public keys. In fact, the proposed system is more general and allows users toauthenticate, and if required to exchange, files like GPG public key files.

The application which have been implemented communicates through the Internet net-work using a chosen port (the insecure channel). In addition, they needs an human com-munication channel, which achieves authentication, typically telephone (the authenticatedchannel). The application is based on the client-server model and works in short as follow:Suppose two persons: Alice and Bob. Bob would authenticate a file from Alice (e.g. her GPGpublic key). First, he launches the SAS File Exchange application and wait for connection(i.e. he is the server). Then, he contacts Alice, for example by telephone, and asks him toauthenticate one of her files. Alice launches the application too, selects the file to authen-ticate and the destination address, i.e. IP address and port number. Then, she starts theauthentication protocol (i.e. she is the client).

6.4.1 The Implemented Protocol

The Vaudenay SAS-based authentication protocol depicted on Fig. 6.1 has been adapted fora practical implementation. The implemented version works as described on Fig. 6.4. Inparticular, the file which has to be authenticated can be exchanged or not. If Alice and Bobhas already exchanged the file, e.g. by email, authentication only is made, otherwise the fileis exchanged at the beginning of the protocol.

57

Sylvain Pasini

Alice Bobinput: m input: mB

Wait for connection...open connection−−−−−−−−−−−−−−→

r←−−−−−−−−−−−−−− r ←

1 if mB =⊥0 otherwise

if r = 1 then ask Alice.

a←

1 if Alice accepts0 otherwise

a−−−−−−−−−−−−−−→if a = 0 then abort if a = 0 then abort

m(if r==1)−−−−−−−−−−−−−−→ mB ←

m if mB =⊥mB otherwise

pick RA ∈U 0, 1kpick Rdm ∈U 0, 180

c← SHA1(m||RA||Rdm) c−−−−−−−−−−−−−−→RB←−−−−−−−−−−−−−− pick RB ∈U 0, 1kRA−−−−−−−−−−−−−−→

Rdm−−−−−−−−−−−−−−→SAS← RA ⊕ RB

authenticateAlice(SAS)−−−−−−−−−−−−−−→ check c = SHA1(mB ||Ra||Rdm)check SAS = RA ⊕RB

output: Alice, mB

Figure 6.4. Implementation of the Vaudenay SAS-based Message Authentication with Ran-dom Oracle Commitment.

58


Figure 6.5. Screen-shot of the Main Frame

6.4.2 The Final Application

The final application has been implemented in Java for its simplicity of designing user-friendlyinterfaces. It is principally composed of three windows.

The main window is the only visible at the launches of the application. It allows users toopen one of the two other windows or to quit the application. A screen-shot is printedon Fig. 6.5.

The receive window is normally opened by the user, i.e. Bob, who will authenticate adistant file, i.e. form Alice, and possibly will receive it. A screen-shot is printed onFig. 6.7.He has to specify the port number and the file destination. Three cases are possible forthe file destination:

No filename specified. The protocol (Bob) requests the source (Alice) to send thefile. If the source accept, Bob receives the file and the correspondent filename.The received file would be saved in the received filename.

A non-existent filename specified. The protocol (Bob) requests the source (Alice)to send the file. The received file would be saved in the specified filename.

An existent filename specified. The protocol (Bob) does not request the source(Alice) to send the file and later use the specified file to check the commit.

By clicking on the button “Waiting authentication”, Bob enters in a waiting mode untilit receives a connection on the specified port.After the execution of the protocol, Bob has to enter the SAS which has been yield byAlice for instance by telephone.

The send window is normally opened by the user who has the source of the file, i.e. Alice.A screen-shot is printed on Fig. 6.6.She has to specify the source filename, the destination hostname, i.e. the on of Bob,and the port number to be used.By clicking on the button “Start authentication”, Alice starts the protocol by estab-lishing a connection to Bob.If Bob would have requested the file transfer, a dialog window is opened. Alice caneither accept to send the file, or either abort the protocol.

59

Sylvain Pasini

At the end of the execution of the protocol, Alice has to gives the SAS to Bob using anauthenticated channel, for instance a telephone.

The executions of the SAS-based protocol on Alice and on Bob sides are depicted re-spectively on Fig. 6.6 and Fig. 6.7. These executions represent a public key authenticationwithout transfer by considering that Alice has send its public key to Bob prior the protocol,e.g. by email.

6.4.3 Number of SAS Trials

The used SAS has a fixed length of 5 digits. A sixth digit has been added to check its validity.In an application of this type, it is important to allow users to make mistake(s). On the otherhand, this flexibility does not reduce the security. If simply two tries are allowed, an attackerhas two tries to attack the protocol. Consequently, the probability of success is twice theprobability of success of the original protocol.

The sixth digit is a digit of redundancy. It is the sum of the five original digits modulo10. When Bob enter a SAS, first the redundancy is checked.

If the redundancy is bad , Bob has entered a non-valid SAS and can try another one(only). Note that an attacker has no chance with a generated SAS with bad redundancysince it would be rejected with probability 1.

If the redundancy is correct , either the SAS entered is right and also the file is authen-ticated, either it is false and the file authentication is aborted since an attack can beoccurred.

Using this method, users can make a mistake typing the SAS, but the security is notdecreased. On the other hand, it costs one additional digit.

6.4.4 In Short

The proposed application allows users to exchange files on an authenticated way. It can beused to exchange PGP, or GPG, public keys by authenticating only six digits. Note that thecurrent method uses the protocol of Fig. 5.2 and requires 160 authenticated bits which areusually represented by 32 hexadecimal digits. Fortunately, the proposed protocol requiresthe exchange of only 15 authenticated bits which is much smaller than the current method.

60


Figure 6.6. Screen-shot of the Frame on Alice Side (Verbose Mode)

Figure 6.7. Screen-shot of the Frame on Bob Side (Verbose Mode)

61

Sylvain Pasini

62

Chapter

SEVEN

Interactive vs. Non-Interactive Protocols andtheir Applications

In Chapter 6, we have seen two applications of the interactive SAS-based protocol. In theOpenSSH application, the interactivity was a problem, recall that the administrator becamequickly overloaded by the SAS distribution. In the second application, the peer-to-peer fileauthentication, the interactivity was an advantage since it allowed users to exchange shortstrings instead of longer ones.

In this chapter, we try to compare and analyze interactive and non-interactive protocols.In a second time, we sketch some applications and we discuss whether interactive or non-interactive is better in this case.

7.1 A Short Comparison

Usability An interactive protocol allows shorter authenticated strings and thus it is moreuser-friendly. On the other hand, an interactive protocol forces the users to be synchronizedwhich can be not user-friendly.

Security We have seen in Chapter 5 that non-interactive protocols are vulnerable to offlineand online attacks. Interactive protocols are in general resistant to offline attacks and thustheir security is better.

Cost In term of amount of authenticated bits, interactive protocols are lower cost sincethey don’t have to resist to offline attacks and thus can use shorter authenticated string

An exception is MANA. Indeed, it is a non-interactive protocol using only few authen-ticated bits. On the other hand, it requires a stronger authenticated channel which is moreexpensive than a weak authenticated one.

63

Sylvain Pasini

Complexity The non-interactive protocols often use one-way hash functions. Thus, theircomplexity is basically a hash computation on each sides of the protocol.

In the proposed (non-interactive) protocol, a commitment scheme is used in addition tothe hash function. Consequently, its complexity is a commitment and a hash computationon each side.

The only interactive protocol seen in this work uses a commitment and its complexity isa commit call and an open call on each side respectively.

Note that a commitment scheme can be very complex compared to a simple hash compu-tation. Thus, protocols using a commitment scheme are in general more complex than onesusing only hash functions.

7.2 Some Applications Examples

7.2.1 Applications Based on Public Keys

SSH. In Section 6.3, we have seen the problem of an interactive protocol in this case. Onthe other hand, the interactivity forces users to authenticate the distant public key and notjust accept them. Indeed, with the presented solution, the user must enter the good SAS tocontinue.

PGP, GPG. Currently, the protocol used is non-interactive. Consequently, it allows thetwo distant users to run a non-synchronized authentication. On the other hand, they mustauthenticate a long string, e.g. 160 bits.

In Section 6.4, we have seen that an interactive protocol can be used for peer-to-peer key(file) authentication. Here, we assume that two distant users can run a synchronized protocol.The interactivity has the advantage of allowing shorter SAS.

PGPfone. PGPfone is a software package that allows to transform a computer into a securetelephone. Suppose two persons would communicate securely, i.e. Bob calls Alice. A possiblescenario can be to start with a non-secure communication. The two users can communicate.In particular, if Bob knows Alice, the non-secure communication is an authenticated channel.Thus, Alice can send its public key to Bob, e.g. using another TCP port or by email, and shecan authenticate their public key by spelling its fingerprint. After this authentication step,the two users can setup a secure communication by using the public key which has just beenexchanged.

Clearly, both users are eventually synchronized, thus an interactive protocol can be runsimultaneously on another TCP port without any additional constraint. In addition, thissecond method allows shorter SAS as seen in the comparison since the protocol is interactive.

In conclusion, an interactive protocol is better in this case since it allows shorter SASwithout requiring any additional constraint.

64

7 - Interactive vs. Non-Interactive Protocols and their Applications

7.2.2 Bluetooth Devices Pairing and Wireless USB

An alternative method to Bluetooth pairing can be to exchange a public key and then au-thenticate it. Note that a device pairing requires both available. Consequently, an interactiveprotocol requires no additional constraint. Thus, short SAS can be used to authenticate pub-lic keys. For small devices, this can be restrictive since costly commitment schemes can behard to implement. Recall that protocol of Fig. 6.1 requires a commitment scheme.

Wireless USB will appear soon. Some USB devices, such as printers, will become wireless.As for Bluetooth, a WUSB device requires a pairing step otherwise attacks can be run.

Let us consider some applications. We does not focus on the implementation of theauthentication protocol, but rather on the user interface.

A headset has no keyboard and no display and it must communicate to exchange theSAS (if an interactive protocol is used). Clearly, a telephone must authenticate its headset.After the protocol execution, a SAS must be exchanged from the headset to the telephone.A solution would be that the ear-phone pronounces the SAS and then the user types it onthe telephone keyboard.

For a keyboard of a computer, it is important to authenticate the computer and to setupa secure communication. Otherwise, an adversary can for example recover passwords typedon the keyboard. Thus, a SAS must be exchanged from the computer to the keyboard.Fortunately, the keyboard has inputs. The users could type on his keyboard a SAS whichis displayed on the screen of the computer. Here, we consider that the display to user is anauthenticated channel. Note that it does not need a confidential channel since a SAS is nota PIN code. A symmetric problem is to make sure that the computer is linked to the rightkeyboard. For this, we only require the keyboard to have a LED showing when the securecommunication was successfully set up: if the computer says that a connection was setup toa keyboard but the right keyboard does not, then it was made by a wrong one.

When a user on the road would like to print a confidential document from his laptopcomputer to a wireless printer, authentication of the printer is necessary. In the case wherethe printer has a display, it is not a problem: the printer just displays the SAS which is typedon the laptop. Consider that the printer has no display. The printer can still print the SASon a page. The protocol can be interactive in this case to allow short SAS.

A hard disk has in general no input/output with the user. Here are some alternate waysfor “deaf-mute” devices:

1. Start with a wired connection to setup a security association. After this step, it can bedisconnected and can use the wireless link securely. Note that a good solution can bethat the device remembers the security association for the next time.

2. “Hard-code” a key on the device and print them on its box. The user has to type it onits computer during the authentication step.

3. Use resurrecting duckling paradigm from Stajano-Anderson [SA99]. In short, when adevice is booted the first time, it searches another device in its vicinity and trusts thefirst found for always.

4. Use a distance bounding authentication which is well adapted in these cases since weare doing pairings and devices are very close.

65

Sylvain Pasini

66

Conclusion

We have analyzed on a global perspective the security of message authentication protocols. Inparticular, we have seen that there exists a generic one-shot attack with probability of successessentially 1/s where s is the size of the set of all possible authenticated strings. We have alsosketched a generic attack which uses QA instances of Alice and QB of Bob with probabilityof success essentially 1 − e

QAQBs . Thus, any message authentication protocol which has no

better attack is essentially “optimal” since any other protocol can be attacked using thesegeneric attacks and consequently can not have a better security.

We have discussed the security of the non-interactive protocols of Fig. 5.2 and 5.3. Wehave proposed a new non-interactive message authentication protocol based on a commitmentscheme. It has the same security as the currently used in SSH (Fig. 5.2) against one-shotattacks but using only half authenticated bits, e.g. 80 bits. 100 bits only are required againstmore general attacks and allowing a quite good security. Indeed, due to the commitmentscheme, the authenticated value is not foreseeable and the proposed protocol is resistantto collision attacks that are run offline. We stress that the security of our protocol reliesessentially on the hardness of the SB game of the commitment scheme and on the hardnesson the WCR game of the hash function.

In addition, we have proposed two implementations of the Vaudenay SAS-based authen-tication protocol. The first was an implementation in OpenSSH and the second was a peer-to-peer file authentication. These two implementations bought us to discuss whether anapplication must use an interactive protocol or if it is better to use a non-interactive one. Asexpected, it is in fact dependent on the application. Indeed, an interactive protocol allowsshorter SAS than a non-interactive one, but requires a synchronization between the users.For instance, an interactive protocol in SSH is not well adapted since the synchronizationleads to some problems, but for the second application an interactive protocol is better sinceit allows shorter authenticated strings and thus becomes more user-friendly.

67

Sylvain Pasini

68

Bibliography

[AES01] Advanced encryption standard (AES). Federal Information Processing Stan-dards, Publication 197, U.S. Department of Commerce, National Institute ofStandards and Technology, 2001.

[BB05] Laurent Bussard and Walid Bagga. Distance-bounding proof of knowledge toavoid real-time attacks. In SEC ’05: 20th IFIP International Information Se-curity Conference, Makuhari-Messe, Chiba, Japan, May 2005.

[BC93] Stefan Brands and David Chaum. Distance-bounding protocols. In Tor Helle-seth, editor, Advances in cryptology – EUROCRYPT ’93: Workshop on the The-ory and Application of Cryptographic Techniques, volume 765 of Lecture Notesin Computer Science, pages 344–359, Lofthus, Norway, May 1993. Springer-Verlag.

[BCC88] Gilles Brassard, David Chaum, and Claude Crepeau. Minimum disclosure proofsof knowledge. Journal of Computer and System Sciences, 37(2):156–189, 1988.

[BCJ+05] Eli Biham, Rafi Chen, Antoine Joux, Patrick Carribault, Christophe Lemuet,and William Jalby. Collisions of SHA-0 and reduced SHA-1. In Advances inCryptology – EUROCRYPT ’05: 24th Annual International Conference on theTheory and Applications of Cryptographic Techniques, Lecture Notes in Com-puter Science, pages 36–57, Aarhus, Denmark, 2005. Springer-Verlag.

[BCK96] Mihir Bellare, Ran Canetti, and Hugo Krawczyk. Keying hash functions for mes-sage authentication. In Neal Koblitz, editor, Advances in Cryptology – CRYPTO’96: 16th Annual International Cryptology Conference, volume 1109 of LectureNotes in Computer Science, pages 1–15, Santa Barbara, California, U.S.A., Au-gust 1996. Springer-Verlag.

[BCP03] Emmanuel Bresson, Dario Catalano, and David Pointcheval. A simple public-key cryptosystem with a double trapdoor decryption mechanism and its appli-cations. In Chi-Sung Laih, editor, Advances in cryptology – ASIACRYPT ’03:9th International Conference on the Theory and Application of Cryptology andInformation Security, volume 2894 of Lecture Notes in Computer Science, pages37–54, Taipei, Taiwan, January 2003. Springer-Verlag.

69

Sylvain Pasini

[BK90] Joan F. Boyar and Stuart A. Kurtz. A discrete logarithm implementation ofperfect zero-knowledge blobs. Journal of Cryptology, 2(2):63–76, 1990.

[Blu03] Bluetooth. Specification of the Bluetooth System. Version 1.2, 2003.

[BR93] Mihir Bellare and Phillip Rogaway. Entity authentication and key distribution.In Douglas R. Stinson, editor, Advances in Cryptology – CRYPTO ’93: 13thAnnual International Cryptology Conference, volume 773 of Lecture Notes inComputer Science, pages 232–249, Santa Barbara, California, U.S.A., August1993. Springer-Verlag.

[BR00] John Black and Phillip Rogaway. CBC MACs for arbitrary-length messages:The three-key constructions. In Mihir Bellare, editor, Advances in Cryptology –CRYPTO ’00: 20th Annual International Cryptology Conference, volume 1880of Lecture Notes in Computer Science, pages 197–215, Santa Barbara, Califor-nia, U.S.A., 2000. Springer-Verlag.

[BSSW02] Dirk Balfanz, Diana K. Smetters, Paul Stewart, and H. Chi Wong. Talking tostrangers: Authentication in ad-hoc wireless networks. In Proceedings of Net-work and Distributed System Security Symposium 2002 (NDSS’02), San Diego,California, U.S.A, February 2002.

[CCH05] Mario Cagalj, Srdjan Capkun, and Jean-Pierre Hubaux. Key agreement in peer-to-peer wireless networks. In Proceedings of the IEEE, Special Issue in Securityand Cryptography, 2005.

[CF01] Ran Canetti and Marc Fischlin. Universally composable commitments. InJoe Kilian, editor, Advances in Cryptology – CRYPTO ’01: 21st Annual In-ternational Cryptology Conference, volume 2139 of Lecture Notes in ComputerScience, pages 19–40, Santa Barbara, California, U.S.A., August 2001. Springer-Verlag.

[CGHGN01] Dario Catalano, Rosario Gennaro, Nick Howgrave-Graham, and Phong Q.Nguyen. Paillier’s cryptosystem revisited. In CCS ’01: Proceedings of the 8thACM conference on Computer and Communications Security, pages 206–214,Philadelphia, Pennsylvania, U.S.A., 2001. ACM Press.

[CLOS02] Ran Canetti, Yehuda Lindell, Rafail Ostrovsky, and Amit Sahai. Universallycomposable two-party and multiparty secure computation. In STOC ’02: Pro-ceedings of the thiry-fourth annual ACM symposium on Theory of computing,Montreal, Quebec, Canada, 2002. ACM Press.

[CS02] Ronald Cramer and Victor Shoup. Universal hash proofs and a paradigm foradaptive chosen ciphertext secure public-key encryption. In Lars R. Knudsen,editor, Advances in Cryptology – EUROCRYPT ’02: International Conferenceon the Theory and Applications of Cryptographic Techniques, volume 2332 ofLecture Notes in Computer Science, Amsterdam, The Netherlands, April 2002.Springer-Verlag.

70

7 - BIBLIOGRAPHY

[DES77] Announcing the Data Encryption Standard (DES). Federal Information Pro-cessing Standard, Publication 46, National Institute of Standards and Technol-ogy (NIST), 1977.

[DES99] Data Encryption Standard (DES). Federal Information Processing Standard,Publication 46-3, National Institute of Standards and Technology (NIST), 1999.

[DG03] Ivan Damgard and Jens Groth. Non-interactive and reusable non-malleablecommitment schemes. In STOC ’03: Proceedings of the thirty-fifth annualACM symposium on Theory of computing, pages 426–437, San Diego, California,U.S.A., 2003. ACM Press.

[DH76] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEETransactions on Information Theory, IT–22(6):644–654, November 1976.

[DN02] Ivan Damgard and Jesper Buus Nielsen. Perfect hiding and perfect bindinguniversally composable commitment schemes with constant expansion factor.In Moti Yung, editor, Advances in Cryptology – CRYPTO ’02: 22nd AnnualInternational Cryptology Conference, volume 2442 of Lecture Notes in Com-puter Science, pages 581–596, Santa Barbara, California, U.S.A., August 2002.Springer-Verlag.

[DSS94] Digital signature standard (DSS). Federal Information Processing Standard,Publication 186, U.S. Department of Commerce, National Institute of Standardsand Technology, 1994.

[DSS00] Digital signature standard (DSS). Federal Information Processing Standard,Publication 186-2, U.S. Department of Commerce, National Institute of Stan-dards and Technology, 2000.

[GMN04] Christian Gehrmann, Chris J. Mitchell, and Kaisa Nyberg. Manual authentica-tion for wireless devices. RSA Cryptobytes, 7(1):29–37, January 2004.

[GMR88] Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signaturescheme secure against adaptive chosen-message attacks. SIAM Journal on Com-puting, 17(2):281–308, 1988.

[GN01] Christian Gehrmann and Kaisa Nyberg. Enhancements to Bluetooth basebandsecurity. In Nordsec ’01, Copenhagen, Denmark, November 2001.

[GN04] Christian Gehrmann and Kaisa Nyberg. Security in personal area networks.Security for Mobility, pages 191–230, 2004.

[IK03] Tetsu Iwata and Kaoru Kurosawa. Omac: One-key cbc mac. In Thomas Johans-son, editor, FSE ’03: Fast Software Encryption: 10th International Workshop,volume 2887 of Lecture Notes in Computer Science, pages 129–153, Lund, Swe-den, January 2003. Springer-Verlag.

[JV03] Pascal Junod and Serge Vaudenay. Fox specifications version 1.1. In TechnicalReport EPFL/IC/2003/82, EPFL, 2003.

71

Sylvain Pasini

[Mer78] Ralph C. Merkle. Secure communications over insecure channels. Communica-tions of the ACM, 21(4):294–299, 1978.

[MUM03] International Organization for Standardization, Geneva, Switzerland. ISO/IEC1st CD 9798-6, Information technology – Security techniques – Entity authen-tication – Part 6: Mechanisms using manual data transfer, 2003.

[MVOV96] Alfred J. Menezes, Paul C. Van Oorschot, and Scott A. Vanstone. Handbook ofApplied Cryptography. CRC Press, 1996.

[MY04] Philip MacKenzie and Ke Yang. On simulation-sound trapdoor commitments.In Christian Cachin and Jan Camenisch, editors, Advances in Cryptology –EUROCRYPT ’04 : International Conference on the Theory and Applications ofCryptographic Techniques, volume 3027 of Lecture Notes in Computer Science,pages 382–400, Interlaken, Switzerland, May 2004. Springer-Verlag.

[Pai99] Pascal Paillier. Public-key cryptosystems based on composite degree residuos-ity classes. In Jacques Stern, editor, Advances in Cryptology – EUROCRYPT’99: International Conference on the Theory and Application of CryptographicTechniques, volume 1592 of Lecture Notes in Computer Science, pages 223–238,Prague, Czech Republic, May 1999. Springer.

[Pas03] Rafael Pass. On deniability in the common reference string and random oraclemodel. In Dan Boneh, editor, Advances in Cryptology – CRYPTO ’03: The23rd Annual International Cryptology Conference, volume 2729 of Lecture Notesin Computer Science, pages 316–337, Santa Barbara, California, U.S.A., 2003.Springer-Verlag.

[Ped91] Torben P. Pedersen. Non-interactive and information-theoretic secure verifiablesecret sharing. In Joan Feigenbaum, editor, Advances in Cryptology – CRYPTO’91: The 11th Annual International Cryptology Conference, volume 576 of Lec-ture Notes in Computer Science, pages 129–140, Santa Barbara, California,U.S.A., 1991. Springer-Verlag.

[Riv92] Ronald L. Rivest. The MD5 message digest algorithm. Technical Report Inter-net RFC-1321,IETF, 1992.

[RSA78] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for ob-taining digital signatures and public-key cryptosystems. Communications of theACM, 21(2):120–126, Februar 1978.

[SA99] Frank Stajano and Ross Anderson. The resurrecting duckling: Security issuesfor ad-hoc wireless networks. In Bruce Christianson, Bruno Crispo, James A.Malcolm, and Michael Roe, editors, Security Protocols, 7th International Work-shop Proceedings, volume 1796 of Lecture Notes in Computer Science, pages172–194, Cambridge, UK, 1999. Springer-Verlag.

[Sha49] C. E. Shannon. Communication theory of secrecy systems. Bell Sys. Tech. J.,28:657–715, 1949.

72

7 - BIBLIOGRAPHY

[SHA93] Secure hash standard. Federal Information Processing Standard, Publication180, U.S. Department of Commerce, National Institute of Standards and Tech-nology, 1993.

[SHA95] Secure hash standard. Federal Information Processing Standard, Publication180-1, U.S. Department of Commerce, National Institute of Standards and Tech-nology, 1995.

[Sim88] Gustavus J. Simmons. How to (really) share a secret. In Shafi Goldwasser,editor, Advances in Cryptology – CRYPTO ’88: The 8th Annual InternationalCryptology Conference, volume 403 of Lecture Notes in Computer Science, pages390–448, Santa Barbara, California, U.S.A., 1988. Springer-Verlag.

[Sti95] Douglas R. Stinson. Cryptography: Theory and Practice. CRC Press, 1995.

[Vau04] Serge Vaudenay. Communication Security : An Introduction to Cryptography.EFPL Course, 2004.

[Vau05] Serge Vaudenay. Secure communications over insecure channels based on shortauthenticated strings. In Victor Shoup, editor, Advances in Cryptology –CRYPTO ’05: The 25th Annual International Cryptology Conference, volume3621 of Lecture Notes in Computer Science, pages 309–326, Santa Barbara,California, U.S.A., August 2005. Springer-Verlag.

[WBD05] Yongdong Wu, Feng Bao, and Robert H. Deng. Secure human communicationsbased on biometrics signals. In SEC ’05: 20th IFIP International InformationSecurity Conference, pages 205–221, Chiba, Japan, May 2005.

[WLF+05] Xiaoyun Wang, Xuejia Lai, Dengguo Feng, Hui Chen, and Xiuyuan Yu. Crypt-analysis of the hash functions MD4 and RIPEMD. In Ronald Cramer, edi-tor, Advances in Cryptology – EUROCRYPT ’05: 24th Annual InternationalConference on the Theory and Applications of Cryptographic Techniques, Lec-ture Notes in Computer Science, pages 1–18, Aarhus, Denmark, 2005. Springer-Verlag.

[WY05] Xiaoyun Wang and Hongbo Yu. How to break MD5 and other hash functions.In Ronald Cramer, editor, Advances in Cryptology – EUROCRYPT ’05: 24thAnnual International Conference on the Theory and Applications of Crypto-graphic Techniques, Lecture Notes in Computer Science, pages 19–35, Aarhus,Denmark, 2005. Springer-Verlag.

[WYY05a] Xiaoyun Wang, Yiqun Yin, and Hongbo Yu. Finding collisions in the fullSHA1. In Victor Shoup, editor, Advances in Cryptology – CRYPTO ’05: The25th Annual International Cryptology Conference, volume 3621 of Lecture Notesin Computer Science, pages 17–36, Santa Barbara, California, U.S.A., August2005. Springer-Verlag.

[WYY05b] Xiaoyun Wang, Xiuyuan Yu, and L. Y. Yin. Efficient collision search attackson SHA-0. In Victor Shoup, editor, Advances in Cryptology – CRYPTO ’05:

73

Sylvain Pasini

The 25th Annual International Cryptology Conference, volume 3621 of LectureNotes in Computer Science, pages 1–16, Santa Barbara, California, U.S.A.,August 2005. Springer-Verlag.

74

List of Figures

1.1 The Common Human Communications Channels . . . . . . . . . . . . . . . . 15

1.2 The Shannon Model [Sha49]. . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.3 The Merkle-Diffie-Hellman Model. . . . . . . . . . . . . . . . . . . . . . . . . 16

1.4 The Diffie-Hellman Key Agreement Protocol. . . . . . . . . . . . . . . . . . . 17

1.5 The Semi-Authenticated Key Transfer Using Public-Key Cryptography. . . . 17

2.1 Non-Interactive Message Authentication based on a CRHF . . . . . . . . . . 20

2.2 The MANA I Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.3 Interactive SAS-based Message Authentication. . . . . . . . . . . . . . . . . . 21

2.4 Semi-Authenticated Key Agreement Using Voice Records. . . . . . . . . . . . 22

2.5 Man-In-The-Middle Attack (Simplified Version). . . . . . . . . . . . . . . . . 23

2.6 Distance-Bounding Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.7 Key Agreement Protocol Using Distance Bounding. . . . . . . . . . . . . . . . 25

3.1 Message Authentication Protocol Channels (General) Model . . . . . . . . . . 27

3.2 Stronger Properties of Human Authenticated Channels . . . . . . . . . . . . . 30

3.3 SH Game. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.4 FH Game. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.5 SB Game. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.6 FB Game. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.7 Ideal Commitment: Commit Algorithm. . . . . . . . . . . . . . . . . . . . . . 35

3.8 Ideal Commitment, Decommit Algorithm. . . . . . . . . . . . . . . . . . . . . 35

3.9 WCR game. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

4.1 Generic One-Shot Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

5.1 Non-Interactive Channels Model . . . . . . . . . . . . . . . . . . . . . . . . . 45

5.2 Non-Interactive Message Authentication using a CRHF. . . . . . . . . . . . . 46

5.3 The MANA I Protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

75

Sylvain Pasini

5.4 Non-Interactive Message Authentication Based on a WCRHF. . . . . . . . . 485.5 Game Against the Proposed Protocol. . . . . . . . . . . . . . . . . . . . . . . 495.6 Reduced Game. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495.7 Reduction to the SB Game (c = c). . . . . . . . . . . . . . . . . . . . . . . . . 505.8 Reduction to the WCR Game (c 6= c). . . . . . . . . . . . . . . . . . . . . . . 50

6.1 SAS-based Message Authentication. . . . . . . . . . . . . . . . . . . . . . . . 536.2 Connection to a Remote Host using a Conventional Protocol . . . . . . . . . 556.3 Connection to a Remote Host using the SAS-Based Protocol . . . . . . . . . 566.4 Implementation of the Vaudenay SAS-based Protocol . . . . . . . . . . . . . . 586.5 Screen-shot of the Main Frame . . . . . . . . . . . . . . . . . . . . . . . . . . 596.6 Screen-shot of the Frame on Alice Side (Verbose Mode) . . . . . . . . . . . . 616.7 Screen-shot of the Frame on Bob Side (Verbose Mode) . . . . . . . . . . . . . 61

7.1 Three First Steps of the Recurrence. . . . . . . . . . . . . . . . . . . . . . . . 81

76

Appendix A

Lemma 4. Let X and Y be two identically distributed independent random variables withdistribution D over a support set S. We have

Pr[X = Y ] ≥ 1#S

(7.1)

with equality if and only if D is the uniform distribution.

Proof. Let s be the size of the set S. We have

Pr[X = Y ] =∑

Si∈S

Pr[X = Si] · Pr[Y = Si]

=∑

Si∈S

p2i

where pi is Pr[X = Si].Let us write pi = 1

s + ρi. Thus, we obtains

∑

Si∈S

p2i =

∑

Si∈S

(1s

)2

+ 2∑

Si∈S

1sρi +

∑

Si∈S

ρ2i

Knowing that the sum of pi equals to 1 we can easily deduce that the sum of ρi equals 0.Thus, ∑

Si∈S

p2i =

1s

+∑

Si∈S

ρ2i

The sum of ρ2i is greater or equal to 0. Note that it is equal to 0 if and only if all ρi are null,

i.e. D is uniform.Finally the probability searched is:

Pr[X = Y ] ≥ 1s

with equality if and only if D is the uniform distribution.

77

Sylvain Pasini

78

Appendix B

Lemma 5. We consider two sets of random values Xi, resp. Yj, of size p, resp. q, wherethe elements are picked in a set S of size s with distribution D.

The probability of collision between the two sets is minimal when the distribution D isuniform.

Proof. Let Cp,qD the probability that there exists a Xi which corresponds to a Yj given a

distribution D along the set S of s elements, i.e. a collision occurred between the two sets.

Cp,qD = Pr

[X1, · · · , XQA ∩ Y1, · · · , YQB

6= ∅]

Formally, we have to prove that

Cp,qD ≥ Cp,q

Us(7.2)

where UN is the uniform distribution among a set of N possible elements.We will proceed by first proving that Eq. 7.2 is true for a support S of one element. Then,

we will prove by recurrence that Eq. 7.2 is true for any s, i.e. by proving that it is true for selements assuming that it is true for s− 1 elements.

For a set S of one element, i.e. s = 1, the result is straightforward since the only possibledistribution is the uniform distribution and we have Cp,q

D = Cp,qU1

.

For a set S of any size n, we will prove that it is also true by assuming that Eq. 7.2 istrue for n − 1 or less elements. Let a an elements of S and ta his probability, i.e.ta = PrD[X = a]. We define the distribution D′ as

PrD′

[X = x] =

0 if x = aPrD[X = x|x 6= a] if x 6= a

79

Sylvain Pasini

Considering the particular element a, we can write

Cp,qD = Pr

[Xi ∩ Yj 6= ∅∣∣a /∈ Xi, a /∈ Yj

]

·Pr[a /∈ Xi, a /∈ Yj]+Pr

[Xi ∩ Yj 6= ∅∣∣a ∈ Xi, a ∈ Yj

]

·Pr[a ∈ Xi, a ∈ Yj]+Pr

[Xi ∩ Yj 6= ∅∣∣a ∈ Xi, a /∈ Yj

]

·Pr[a ∈ Xi, a /∈ Yj]+Pr

[Yi ∩ Yj 6= ∅∣∣a /∈ Xi, a ∈ Yj

]

·Pr[a /∈ Xi, a ∈ Yj]

which can be written as

Cp,qD = Cp,q

D′ · (1− ta)p(1− ta)q

+1 · [1− (1− ta)p][1− (1− ta)q]

+p∑

i=1

Cp−i,q

D′

(p

i

)tia(1− ta)p−i

·[1− (1− ta)p](1− ta)q

+q∑

i=1

Cp,q−i

D′

(q

i

)tia(1− ta)q−i

·(1− ta)p[1− (1− ta)q].

Noting that D′ is distributed over n− 1 elements and assuming that Eq. 7.2 is true forn− 1 elements, we obtain

Cp,qD ≥ Cp,q

Un−1· (1− ta)p(1− ta)q

+1 · [1− (1− ta)p][1− (1− ta)q]

+p∑

i=1

Cp−i,q

Un−1

(p

i

)tia(1− ta)p−i

·[1− (1− ta)p](1− ta)q

+q∑

i=1

Cp,q−i

Un−1

(q

i

)tia(1− ta)q−i

·(1− ta)p[1− (1− ta)q].

The right hand side of this inequality corresponds to the probability of collisions Cp,qD0

where the distribution D0 is defined as

PrD0

[X = x] =

ta if x = a1

n−1(1− ta) if x 6= a.

Consequently, we obtain Cp,qD ≥ Cp,q

D0. We repeat this step using the same reasoning but

using another element. Let b 6= a an element of the set S and let tb his probability over

80

7 - LIST OF FIGURES

D0, i.e. tb = PrD0 [X = b] = 1n−1(1 − ta). Proceeding as before, we obtain Cp,q

D0≥ Cp,q

D1

where D1 is defined as

PrD1

[X = x] =

tb if x = b1

n−1(1− tb) if x 6= b.

Finally, we obtain the following recurrence

Cp,qD ≥ Cp,q

D0≥ Cp,q

D1≥ · · · ≥ Cp,q

Di≥ · · ·

where the distributions are defined as

PrDi

[X = x] =

ti if x = ai1

n−1(1− ti) if x 6= ai

with

ai =

a if i oddb if i even

and t0 is PrD[X = ai] and for i ≥ 1, ti is PrDi−1 [X = ai].

Fig. 7.1 represents on its top the original distribution D. The three first steps of therecurrence, i.e. D0, D1, D2, are represented below it.

Distribution D1

a

a

b

Distribution D0

Distribution D2

Initial Distribution D

X

X

X

X

0.4

0.2

0.0

0.4

0.2

0.0

0.4

0.2

0.0

0.4

0.2

0.0

Pr[X]

Pr[X]

Pr[X]

Pr[X]

Figure 7.1. Three First Steps of the Recurrence.

81

Sylvain Pasini

It seems that the recurrence converges rapidly near the uniform distribution. Indeed, wehave ti+1 = 1

n−1(1− ti) and thus ti = 1n +(− 1

n−1)i · (t0− 1n) which converges to 1

n when n > 1.We can finally write

Cp,qD ≥ · · · ≥ Cp,q

Dt−→t→∞Cp,q

Un.

We conclude that any probability of collision Cp,qD , where D is any distribution along S, is

bigger or equal to the probability of collision Cp,qUs

which uses uniformly distributed SAS.

In conclusion, any authentication protocol must use uniformly distributed SAS. Any otherdistribution allows adversaries to find collisions with higher probability or smaller complexityand thus the protocol is less secure.

82

secure communications over insecure channels using an ...secure communications over insecure...

Documents